Which solution will meet these requirements?
Store the digital content in an Amazon S3 bucket that does not have public access blocked. Use signed URLs to access the S3 bucket through CloudFront.
Store the digital content in an Amazon S3 bucket that has public access blocked. Use an origin access identity (OAI) to deliver the content through CloudFront. Restrict S3 bucket access with signed URLs in CloudFront.
Store the digital content in an Amazon S3 bucket that has public access blocked. Use an origin access identity (OAI) to deliver the content through CloudFront. Enable field-level encryption.
Store the digital content in an Amazon S3 bucket that does not have public access blocked. Use signed cookies for restricted delivery of the content through CloudFront.
Explanations:
The S3 bucket is not restricted from public access, meaning anyone can potentially access the content directly. Using signed URLs alone does not solve the problem of unauthorized access.
This option restricts public access to the S3 bucket and uses an origin access identity (OAI) to ensure that CloudFront can access the content. Signed URLs can further restrict access to authorized users only.
Field-level encryption is not necessary for restricting access to digital content. The focus should be on securing access to the content itself, not on encrypting parts of the content.
While signed cookies can be used for restricted access, the S3 bucket is not configured to block public access, which would still allow unauthorized users to bypass CloudFront restrictions by accessing the S3 bucket directly.
I judge that the answer is:
Store the digital content in an Amazon S3 bucket that has public access blocked. Use an origin access identity (OAI) to deliver the content through CloudFront. Restrict S3 bucket access with signed URLs in CloudFront.