AWS Certified Security – Specialty (SCS-C02) — Question 192

A company uses HTTP Live Streaming (HLS) to stream live video content to paying subscribers by using Amazon CloudFront. HLS splits the video content into chunks so that the user can request the right chunk based on different conditions. Because the video events last for several hours, the total video is made up of thousands of chunks.

The origin URL is not disclosed, and every user is forced to access the CloudFront URL. The company has a web application that authenticates the paying users against an internal repository and a CloudFront key pair that is already issued.

What is the simplest and MOST effective way to protect the content?

Answer options

• A. Develop the application to use the CloudFront key pair to create signed URLs that users will use to access the content.
• B. Develop the application to use the CloudFront key pair to set the signed cookies that users will use to access the content.
• C. Develop the application to issue a security token that Lambda@Edge will receive to authenticate and authorize access to the content.
• D. Keep the CloudFront URL encrypted inside the application, and use AWS KMS to resolve the URL on-the-fly after the user is authenticated.

Correct answer: B

Explanation

The correct answer is B because using signed cookies allows multiple requests to be authenticated with a single cookie, simplifying access for users who need to retrieve various video chunks. Option A requires generating a new signed URL for each request, which can be cumbersome. Option C involves more complexity with Lambda@Edge and is not as straightforward as using cookies. Option D does not provide a practical solution for managing access securely while keeping the URL hidden.