AWS Certified Security – Specialty — Question 136

A company uses HTTP Live Streaming (HLS) to stream live video content to paying subscribers by using Amazon CloudFront. HLS splits the video content into chunks so that the user can request the right chunk based on different conditions. Because the video events last for several hours, the total video is made up of thousands of chunks.
The origin URL is not disclosed, and every user is forced to access the CloudFront URL. The company has a web application that authenticates the paying users against an internal repository and a CloudFront key pair that is already issued.
What is the simplest and MOST effective way to protect the content?

Answer options

• A. Develop the application to use the CloudFront key pair to create signed URLs that users will use to access the content.
• B. Develop the application to use the CloudFront key pair to set the signed cookies that users will use to access the content.
• C. Develop the application to issue a security token that Lambda@Edge will receive to authenticate and authorize access to the content.
• D. Keep the CloudFront URL encrypted inside the application, and use AWS KMS to resolve the URL on-the-fly after the user is authenticated.

Correct answer: B

Explanation

The correct answer is B because using signed cookies allows multiple requests within a session to access the content without needing to generate a new signed URL for each request, making it more efficient for streaming scenarios. Option A is less effective for a large number of chunks as it would require generating a signed URL for each chunk. Option C introduces complexity by requiring Lambda@Edge for authentication, which may not be necessary. Option D suggests a method of URL encryption, which does not address access control effectively.