Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 291 discussion

I thought that option A was totally wrong, because the question mentions "HTTP client does not support cookies". However it is right, along with option B. Check the link bellow, first paragraph. https://aws.amazon.com/blogs/media/secure-content-using-cloudfront-functions/

B. Signed URLs - This method allows the media company to control who can access the video content by creating a time-limited URL with a cryptographic signature. This URL can be distributed to the users who are unable to change the hardcoded URLs they are using for access, and they can access the content without needing to support cookies. D. JSON Web Token (JWT) - This method allows the media company to control who can access the video content by creating a secure token that contains user authentication and authorization information. This token can be distributed to the users who are using a custom HTTP client that does not support cookies. The users can include this token in their requests to access the content without needing to support cookies. Therefore, options B and D are the correct answers. Option A (Signed cookies) would not work for users who are using a custom HTTP client that does not support cookies. Option C (AWS AppSync) is not relevant to the requirement of securing video content. Option E (AWS Secrets Manager) is a service used for storing and retrieving secrets, which is not relevant to the requirement of securing video content.

B. Signed URLs: Signed URLs allow you to control access to your content in CloudFront by providing URLs that are valid only for a specified duration. This means users can access the content using the same URLs they have hardcoded, without the need for cookies or special client support. D. JSON Web Token (JWT): JSON Web Tokens (JWTs) can be used to control access to resources by embedding authentication and authorization information in the token itself. Users can include the JWT in the request headers, allowing access to be controlled without relying on cookies. This approach doesn't require changes to hardcoded URLs and can be integrated into custom HTTP clients.

a little tricky but you have to "control" access, ok dont support cookies, so put signed cookies.

so how many marks do you get if you get 1 wrong

If you have gotten this far and got THIS trick question right then you are going to make it! Good Luck!

'SOME are using a client that does not support cookies' -> use signed URLs 'SOME are unable to change the hardcoded URLs' -> used signed cookies

Signed URLs and signed cookies are the most suitable options. They can effectively address the requirements of both users with custom HTTP clients and those with hardcoded URLs.

B & E - B. Signed URLs: This allows you to generate time-limited URLs with a signature that grants temporary access to specific resources in your S3 bucket. It doesn't rely on cookies and can be generated for users without requiring any changes to their HTTP client or hardcoded URLs. This method provides fine-grained control over access to your content. E. AWS Secrets Manager: While AWS Secrets Manager can be useful for managing and rotating secrets, it is not directly related to securing S3 content in the context of the question. It's not one of the primary methods for securing access to S3 objects.

To secure streaming video content from Amazon CloudFront, two methods are available: signed cookies or signed URLs. Customers can choose to use either one or both, depending on the use case.

AB - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html

B and D are the correct options for meeting the requirements with the least impact to users. Signed URLs allow access to individual objects in Amazon S3 for a specified time period without requiring cookies. This allows the custom HTTP client users to access content. JSON Web Tokens (JWT) allow users to get temporary access tokens that can be passed in requests. This allows users with hardcoded URLs to access content without updating URLs.

I understand why many users here are voting AB, but in my opinion BD is more correct. Using JWT or signed urls will work both for users that cannot use cookies or cannot change the url.

it's correct

These are the right answers!

"Some of the company’s users" does not support cookies, then they'll use Signed URLs. "Some of the company’s users" are unable to change the hardcoded URLs, then they'll use Signed cookies.

Signed cookies would allow the media company to authorize access to related content (like HLS video segments) with a single signature, minimizing implementation overhead. This works for users that can support cookies. Signed URLs would allow the media company to sign each URL individually to control access, supporting users that cannot use cookies. By embedding the signature in the URL, existing hardcoded URLs would not need to change.