AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A media company uses Amazon CloudFront for its publicly available streaming video content. The company wants to secure the video content that is hosted in Amazon S3 by controlling who has access. Some of the company's users are using a custom HTTP client that does not support cookies. Some of the company's users are unable to change the hardcoded URLs that they are using for access.

Which services or methods will meet these requirements with the LEAST impact to the users? (Choose two.)

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Signed cookies

Signed URLs

AWS AppSync

JSON Web Token (JWT)

AWS Secrets Manager

Explanation:

Explanation

Correct Answers: B (Signed URLs) and D (JSON Web Token (JWT))

Why these options are correct:

Signed URLs (Option B):
- Signed URLs are perfect for users who cannot change hardcoded URLs because the signature is embedded directly in the URL itself
- Users with custom HTTP clients that don't support cookies can still use signed URLs since they're just URLs with query parameters
- The URL contains all the authentication information in the query string, so no cookies are required
JSON Web Token (JWT) (Option D):
- JWT can be passed in the Authorization header or as a query parameter, making it compatible with custom HTTP clients
- JWT tokens can be validated by CloudFront using Lambda@Edge functions
- This provides fine-grained access control without requiring cookie support

Why other options are incorrect:

A (Signed cookies): This requires cookie support in the HTTP client, which the custom clients don't have
C (AWS AppSync): This is a GraphQL service for building APIs, not designed for securing CloudFront content delivery
E (AWS Secrets Manager): This is for managing secrets like database credentials, not for securing CloudFront content access

Key considerations for the solution:

For users with custom HTTP clients without cookie support: Both signed URLs and JWT work because they don't rely on cookies
For users unable to change hardcoded URLs: Signed URLs can be pre-generated and distributed, while JWT tokens can be added as query parameters to existing URLs
Least impact to users: Both solutions work with existing infrastructure without requiring client-side changes to support cookies

Implementation approach:

Use CloudFront signed URLs for time-limited access to specific content
Use JWT with Lambda@Edge for more complex authorization logic and user-specific access control
Both methods can be combined for different user groups based on their capabilities

Powered ByGPT-5.2

Comments

Loading comments...