Cloudfront signed URL vs signed cookies

[khawaja]

You are working as a Solutions Architect for an international insurance company that has clients all across the globe. They have financial files that are stored in an S3 bucket which is behind CloudFront. At present, their clients can access their data by directly using an S3 URL or using their CloudFront distribution. The company wants to deliver their content to a specific client in California and they need to make sure that only that client can access the data.

Which of the following options is a valid solution that meets the above requirements? (Select TWO.)

The correct answer to above question uses signed URL rather than signed cookies. But reading the question it seems like each client has multiple files and not just one. So don’t you think using signed cookies is a better idea?

[Kenneth-Samonte-Tutorials-Dojo]

Hi khawaja,

Thank you for sharing your feedback on this question.

Yes, it is possible to use signed cookies for restricting read access to the files in the S3 bucket however, for implementation on a single client I think the signed URLs are still preferable.

The signed cookies are helpful if for example, you want a group of users that want to access the “premium users only” page of your website, then all accounts that have that cookie are allowed. In this setup, you also need to have your application always send the “Set-Cookie” header to be used by CloudFront for verification. Also, the signed cookies are only a feature for the CloudFront distribution. If any of the other clients know the URL of the S3 object, they can directly access it.

If you use Signed URLs, both Amazon CloudFront and S3 natively support the signing of URLs, therefore, the users only having the direct S3 url of the object will not be allowed, because access is only limited to pres-signed URLs.

Hope this helps.

Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam!

Regards,

Kenneth Samonte @ Tutorials Dojo