Exam AWS Certified Security - Specialty topic 1 question 484 discussion

For this scenario you would need to set up static website hosting because a custom domain name is listed as a requirement. "Amazon S3 website endpoints do not support HTTPS or access points. If you want to use HTTPS, you can use Amazon CloudFront to serve a static website hosted on Amazon S3." This is not secure. https://docs.aws.amazon.com/AmazonS3/latest/userguide/website-hosting-custom-domain-walkthrough.html CloudFront signed URLs allow much more fine-grained control as well as HTTPS access with custom domain names: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html

D is correct.

Option A would not be the best choice for this scenario. Let's break down why: Changing ACLs for individual users and objects each time a download is requested could become complex and difficult to manage. It's also not clear how you would "remove the access after a set time has elapsed" as this would require some kind of automated mechanism to modify the ACLs. Finally, using ACLs in this way would not fulfill the requirement to "allow the user to download the object from a custom domain name such as example.com." In contrast, a CloudFront signed URL (Option D) allows for precise access control on a per-request basis, can easily be set to expire after a certain period, and supports the use of custom domain names. This makes it a better fit for the requirements of the scenario.

By using CloudFront signed URLs, the security engineer can implement fine-grained access control to the S3 objects. Users will only be able to access the objects for a limited period specified in the signed URL. This approach ensures that the user's permissions are verified each time they attempt to access an object, providing robust security and preventing unauthorized access.