Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Solutions Architect Professional why this option for cloudfront should be an answer

  • why this option for cloudfront should be an answer

  • joseph

    Member
    July 1, 2020 at 11:36 am

    Dear Support,

    Pasting a question here, my comments below the questions, please chekc

    You are working as a Solutions Architect for an international insurance company which has clients all across the globe. They have financial files that are stored in an S3 bucket which is behind CloudFront. At present, their clients can access their data by directly using an S3 URL or using their CloudFront distribution. The company wants to deliver their content to a specific client in California and they need to make sure that only that client can access the data.

    Which of the following options is a valid solution that meets the above requirements? (Choose 2)

    One of the answer given is

    Create a new S3 bucket in US West (N. California) region and upload the files. Use S3 pre-signed URLs to ensure that only their client can access the files. Remove permission to use Amazon S3 URLs to read the files for anyone else.

    Agreed that it could have been the answer if the S3 was not used earlier, here the Architect is using S3 and he want to give his client access to some contents, why should he create a separate bucket.

  • TutorialsDojo-Support

    Member
    July 1, 2020 at 10:44 pm

    Hi Joseph,

    Thanks for the feedback.

    The two options provided are independent of each other. Either one of them can be the solution to the problem.

    Create a new S3 bucket in US West (N. California) region and upload the files. Use S3 pre-signed URLs to ensure that only their client can access the files. Remove permission to use Amazon S3 URLs to read the files for anyone else.

    Use CloudFront signed URLs to ensure that only their client can access the files. Create an origin access identity (OAI) and give it permission to read the files in the bucket. Remove permission to use Amazon S3 URLs to read the files for anyone else.

    Actually, you don’t have to create a new S3 bucket to use S3 pre-signed URLs. But since the other choices are all invalid on their own rights, the ones left are these two options. And one of them is “Create a new S3 bucket in US West (N. California) region and upload the files. Use S3 pre-signed URLs to ensure that only their client can access the files. Remove permission to use Amazon S3 URLs to read the files for anyone else.”

    You can just use the current S3 bucket and use pre-signed URLs. It’s not a requirement to create a new one. But it’s the only choice left that is valid.

    Hope this helps.

    Regards,

    Kenneth Samonte @ Tutorials Dojo

Viewing 1 - 2 of 2 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now