Correct Answer – C
To restrict access to content that you serve from Amazon S3 buckets, follow the below steps:
Create a special CloudFront user called an origin access identity (OAI) and associate it with your distribution.
Configure your S3 bucket permissions so that CloudFront can use the OAI to access the files in your bucket and serve them to your users. Make sure that users can’t use a direct URL to the S3 bucket to access a file there.
If you want to serve private content through CloudFront and you`re trying to decide whether to use signed URLs or signed cookies, consider the following.
Use signed URLs in the following cases:
You want to restrict access to individual files, for example, an installation download for your application.
Your users are using a client (for example, a custom HTTP client) that doesn`t support cookies.
Use signed cookies in the following cases:
You want to provide access to multiple restricted files, for example, all of the files for a video in HLS format or all of the files in the subscribers` area of the website.
You don`t want to change your current URLs.
Option A is incorrect because Signed URLs are used to restrict access to files in CloudFront edge caches. It cannot prevent users from fetching files directly through S3 URLs.
Option B is incorrect because Signed cookies are also not suited for the above requirements.
Option C is CORRECT because you can configure the CloudFront origin to restrict bucket access through OAI.
Option D is incorrect With HTTPS, connections are encrypted between CloudFront and viewers. However, it does not restrict access to the S3 content.
Reference:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-choosing-signed-urls-cookies.html
