Answer-first summary for fast verification
Answer: When you create a signer, the public key is with CloudFront and private key is used to sign a portion of URL, When you use the root user to manage CloudFront key pairs, you can only have up to two active CloudFront key pairs per AWS account
When you create a signer, the public key is with CloudFront and private key is used to sign a portion of URL - Each signer that you use to create CloudFront signed URLs or signed cookies must have a public–private key pair. The signer uses its private key to sign the URL or cookies, and CloudFront uses the public key to verify the signature. When you create signed URLs or signed cookies, you use the private key from the signer’s key pair to sign a portion of the URL or the cookie. When someone requests a restricted file, CloudFront compares the signature in the URL or cookie with the unsigned URL or cookie, to verify that it hasn’t been tampered with. CloudFront also verifies that the URL or cookie is valid, meaning, for example, that the expiration date and time haven’t passed. When you use the root user to manage CloudFront key pairs, you can only have up to two active CloudFront key pairs per AWS account - When you use the root user to manage CloudFront key pairs, you can only have up to two active CloudFront key pairs per AWS account. Whereas, with CloudFront key groups, you can associate a higher number of public keys with your CloudFront distribution, giving you more flexibility in how you use and manage the public keys. By default, you can associate up to four key groups with a single distribution, and you can have up to five public keys in a key group. Incorrect options: You can also use AWS Identity and Access Management (IAM) permissions policies to restrict what the root user can do with CloudFront key pairs - When you use the AWS account root user to manage CloudFront key pairs, you can’t restrict what the root user can do or the conditions in which it can do them. You can’t apply IAM permissions policies to the root user, which is one reason why AWS best practices recommend against using the root user. CloudFront key pairs can be created with any account that has administrative permissions and full access to CloudFront resources - CloudFront key pairs can only be created using the root user account and hence is not a best practice to create CloudFront key pairs as signers. Both the signers (trusted key groups and CloudFront key pairs) can be managed using the CloudFront APIs - With CloudFront key groups, you can manage public keys, key groups, and trusted signers using the CloudFront API. You can use the API to automate key creation and key rotation. When you use the AWS root user, you have to use the AWS Management Console to manage CloudFront key pairs, so you can’t automate the process.
Ultimate access to all questions.
No comments yet.
Author: LeetQuiz Editorial Team
As a developer setting up signers who can create signed URLs for Amazon CloudFront distributions, it's crucial to understand the specific criteria and limitations associated with this process. Signed URLs allow you to control access to your content by specifying who can access it and for how long.
Which of the following statements should the developer consider while defining the signers? (Select two)
A
When you create a signer, the public key is with CloudFront and private key is used to sign a portion of URL
B
You can also use AWS Identity and Access Management (IAM) permissions policies to restrict what the root user can do with CloudFront key pairs
C
When you use the root user to manage CloudFront key pairs, you can only have up to two active CloudFront key pairs per AWS account
D
CloudFront key pairs can be created with any account that has administrative permissions and full access to CloudFront resources
E
Both the signers (trusted key groups and CloudFront key pairs) can be managed using the CloudFront APIs