What is the simplest and MOST effective way to protect the content?
Develop the application to use the CloudFront key pair to create signed URLs that users will use to access the content.
Develop the application to use the CloudFront key pair to set the signed cookies that users will use to access the content.
Develop the application to issue a security token that Lambda@Edge will receive to authenticate and authorize access to the content.
Keep the CloudFront URL encrypted inside the application, and use AWS KMS to resolve the URL on-the-fly after the user is authenticated.
Explanations:
Using signed URLs allows for secure access to content on a per-request basis, but managing thousands of chunks can lead to complexity in URL generation and may not be as efficient for long-lived sessions. Each URL must be signed for each chunk, which can be cumbersome.
Using signed cookies allows the application to grant access to multiple chunks or resources at once without having to sign each URL individually. This method is more efficient for streaming content since users can access all authorized content without needing to regenerate URLs for each chunk.
Issuing a security token for Lambda@Edge may provide a mechanism for authorization, but it complicates the architecture unnecessarily. It would require additional setup and might introduce latency or performance issues without providing significant advantages over signed cookies or URLs.
Keeping the CloudFront URL encrypted and using AWS KMS to resolve it on-the-fly adds unnecessary complexity. It does not directly address the need for content protection and could lead to performance issues due to decryption overhead and latency during content requests.