You have an application deployed in AWS, and a CloudFront distribution is configured to deliver the content. Clients can use the application to get files from an S3 bucket.
You need to restrict access to the files because the content is intended for selected users. You have already associated an origin access identity with the CloudFront distribution, and users cannot bypass CloudFront to access S3 files.
Which methods can you use to serve the private content for CloudFront? (Select TWO.)

Answer options:

A.Configure the CloudFront distribution to require that viewers use HTTPS to request the objects in S3.
B.Develop the application to determine whether a user should have access to the content and create CloudFront signed URLs.
C.Configure AWS WAF in the CloudFront distribution to monitor the HTTP and HTTPS requests and control access to the content in S3.
D.Configure the S3 bucket policy only to allow the CloudFront origin access identity to read files on the bucket.
E.Use the application to check whether or not a user should have access to the content and configure CloudFront signed cookies.

Answer – B and E
Option A is incorrect because HTTPS is not enough to limit access. It needs the application to determine if a user can access specific files.
Option B is CORRECT because the application can return a signed URL to the user which allows the user to download or stream the content. Access to the URL and permission on the file can be made which permits limited and required access only.
Option C is incorrect because AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources but cannot be used to serve private contents in CloudFront.
Option D is incorrect because users cannot bypass CloudFront to access S3 files as per the current setup. The S3 bucket policy should already be configured to limit the CloudFront OAI.
Option E is CORRECT because AWS CloudFront signed cookies enable you to control who can access the content.
Reference:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html