Which solution will meet these requirements?

A SysOps administrator needs to configure a solution that will deliver digital content to a set of authorized users through Amazon CloudFront. Unauthorized users must be restricted from access.

Which solution will meet these requirements?
A . Store the digital content in an Amazon S3 bucket that does not have public access blocked. Use signed URLs to access the S3 bucket through CloudFront.
B . Store the digital content in an Amazon S3 bucket that has public access blocked. Use an origin access identity (OAI) to deliver the content through CloudFront. Restrict S3 bucket access with signed URLs in CloudFront.
C . Store the digital content in an Amazon S3 bucket that has public access blocked. Use an origin access identity (OAI) to deliver the content through CloudFront. Enable field-level encryption.
D . Store the digital content in an Amazon S3 bucket that does not have public access blocked. Use signed cookies for restricted delivery of the content through CloudFront.

View Answer

Answer: B

Explanation:

To deliver digital content to authorized users through CloudFront while restricting unauthorized access, you can use an origin access identity (OAI) with signed URLs.

Store Content in S3 with Public Access Blocked:

Ensure the S3 bucket has public access blocked.

Navigate to the S3 console, select the bucket, and configure the "Block Public Access" settings.

Reference: Blocking public access to your Amazon S3 storage Create an OAI for CloudFront:

In the CloudFront console, create an OAI to securely access the S3 bucket.

Associate the OAI with the CloudFront distribution.

Reference: Using an OAI

Restrict S3 Bucket Access to the OAI:

Update the S3 bucket policy to grant access to the OAI.

Example bucket policy:

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Principal": {

"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <OAI-ID>"

},

"Action": "s3:GetObject",

"Resource": "arn:aws:s3:::bucket-name/*"

}

]

}

Use Signed URLs for Restricted Access:

Configure CloudFront to use signed URLs to control access to the content.

Reference: Serving private content with signed URLs and signed cookies

This setup ensures that only authorized users can access the content through CloudFront using signed URLs, while the S3 bucket remains private and secure.