Suitable Methods for Global Distribution

Answer: B and D.

Option A is incorrect because origin access identity is used when content from Amazon S3 can only be served through CloudFront.

Option B is CORRECT because CloudFront signed URLs allow you to control who can access your content.

Option C is incorrect because IAM resource policy is not required in this scenario.

Option D is CORRECT because CloudFront signed URLs and signed cookies provide the same basic functionality: they allow you to control who can access your content.

Option E is incorrect because CloudFront does not have a service endpoint.

Reference:

The company has a web application that distributes content to customers around the globe and wants to restrict access to specific users. AWS CloudFront is a content delivery network (CDN) that can be used to distribute content to users from an edge location that is geographically closer to them. CloudFront provides several ways to restrict access to content, including the following:

A. Create an origin access identity: Origin Access Identity (OAI) is a special CloudFront user that can be used to restrict access to an Amazon S3 bucket or an HTTP server that serves as the origin of a CloudFront distribution. By creating an OAI, you can configure the S3 bucket or HTTP server to only allow access from the CloudFront distribution, which helps to prevent direct access to the content. This method is suitable if the content is stored in an S3 bucket or served by an HTTP server that supports restricting access by IP address.

B. Create CloudFront signed URLs: A signed URL is a time-limited URL that provides access to a specific object or path in an S3 bucket or an HTTP server that serves as the origin of a CloudFront distribution. When you create a signed URL, you specify the expiration time, the resource path, and a private key that is used to sign the URL. The URL can be distributed to users who have permission to access the content, and it can be used to download the content directly from the origin server. This method is suitable if the content is stored in an S3 bucket or served by an HTTP server that supports direct access by URL.

C. Create IAM Resource policy granting CloudFront access: An IAM Resource policy is a JSON document that specifies the permissions for a resource, such as an S3 bucket or an Amazon EC2 instance. By creating an IAM Resource policy that grants CloudFront permission to access the content, you can restrict access to the content to users who access it through CloudFront. This method is suitable if the content is stored in an S3 bucket or served by an EC2 instance that supports restricting access by IAM policy.

D. Create CloudFront signed cookies: A signed cookie is a time-limited cookie that provides access to a specific object or path in an S3 bucket or an HTTP server that serves as the origin of a CloudFront distribution. When you create a signed cookie, you specify the expiration time, the resource path, and a private key that is used to sign the cookie. The cookie can be distributed to users who have permission to access the content, and it can be used to download the content directly from the origin server. This method is suitable if the content is stored in an S3 bucket or served by an HTTP server that supports direct access by cookie.

E. Create CloudFront Service Endpoint: A CloudFront Service Endpoint is a private endpoint in a VPC that can be used to serve content to CloudFront. By creating a CloudFront Service Endpoint, you can restrict access to the content to users who access it through CloudFront. This method is suitable if the content is stored in an EC2 instance that is only accessible from within a VPC.

Therefore, the two suitable methods to achieve the requirement are: A. Create an origin access identity. B. Create CloudFront signed URLs.