Explanation

Correct Answers: B (Signed URLs) and D (JSON Web Token (JWT))

Why these options are correct:

1. Signed URLs (Option B):

   • Signed URLs are perfect for users who cannot change hardcoded URLs because the signature is embedded directly in the URL itself
   • Users with custom HTTP clients that don't support cookies can still use signed URLs since they're just URLs with query parameters
   • The URL contains all the authentication information in the query string, so no cookies are required

2. JSON Web Token (JWT) (Option D):

   • JWT can be passed in the Authorization header or as a query parameter, making it compatible with custom HTTP clients
   • JWT tokens can be validated by CloudFront using Lambda@Edge functions
   • This provides fine-grained access control without requiring cookie support

Why other options are incorrect:

• A (Signed cookies): This requires cookie support in the HTTP client, which the custom clients don't have
• C (AWS AppSync): This is a GraphQL service for building APIs, not designed for securing CloudFront content delivery
• E (AWS Secrets Manager): This is for managing secrets like database credentials, not for securing CloudFront content access

Key considerations for the solution:

1. For users with custom HTTP clients without cookie support: Both signed URLs and JWT work because they don't rely on cookies
2. For users unable to change hardcoded URLs: Signed URLs can be pre-generated and distributed, while JWT tokens can be added as query parameters to existing URLs
3. Least impact to users: Both solutions work with existing infrastructure without requiring client-side changes to support cookies

Implementation approach:

• Use CloudFront signed URLs for time-limited access to specific content
• Use JWT with Lambda@Edge for more complex authorization logic and user-specific access control
• Both methods can be combined for different user groups based on their capabilities