Which service will allow easy and secure control of the access to the downloads at the lowest cost?
Use Amazon CloudFront with signed URLs for Amazon S3.
Create a dedicated Amazon CloudFront Distribution for each customer.
Use Amazon CloudFront with AWS Lambda@Edge.
Use Amazon API Gateway and AWS Lambda to control access to an S3 bucket.
Explanations:
Using Amazon CloudFront with signed URLs for Amazon S3 allows for secure and controlled access to the firmware updates. Signed URLs can restrict access to only authorized users while keeping costs low by utilizing CloudFront’s caching capabilities, which reduces the number of requests made directly to S3.
Creating a dedicated Amazon CloudFront Distribution for each customer would lead to significant cost increases and management overhead, as each distribution incurs its own costs. This approach does not efficiently utilize resources and lacks scalability.
While using Amazon CloudFront with AWS Lambda@Edge can provide additional functionality such as custom authentication or dynamic content generation, it adds complexity and potential latency. It is not the most cost-effective solution for simply controlling access to firmware downloads.
Using Amazon API Gateway and AWS Lambda to control access to an S3 bucket introduces additional costs and complexity. While this method can provide controlled access, it is not as cost-effective as using signed URLs with CloudFront, especially for simple file distribution scenarios.
It appears that the answer is:
Use Amazon CloudFront with signed URLs for Amazon S3.