Question #747
A company needs to distribute software patches globally while ensuring secure, temporary access for authorized users at the lowest cost. Which solution best meets these requirements?
Use Amazon CloudFront with signed URLs for Amazon S3.
Deploy a separate Amazon CloudFront distribution for each authorized user.
Use Amazon CloudFront with AWS Lambda@Edge to validate user tokens.
Use Amazon API Gateway with AWS IAM policies to restrict access to an S3 bucket.
Explanation
Answer A is correct because:
1. Secure Temporary Access: CloudFront signed URLs grant time-limited access to S3 objects, ensuring only authorized users download patches during the allowed period.
2. Global Distribution: CloudFront's CDN caches content at edge locations, reducing latency and S3 request costs.
3. Low Cost: Caching reduces repeated S3 fetches, and signed URLs avoid per-user infrastructure (unlike Option B) or Lambda@Edge costs (Option C).
Why others are incorrect:
- B: Separate distributions per user are costly and unscalable.
- C: Lambda@Edge adds compute costs and complexity for token validation.
- D: API Gateway + IAM requires AWS credentials, complicating temporary access for non-AWS users.
Key Points:
- Use CloudFront + signed URLs for secure, temporary global content delivery.
- Avoid per-user distributions or serverless compute when simpler solutions exist.
- Prioritize caching and pre-signed URLs to minimize costs.
Answer
The correct answer is: A