The correct answers are Use signed URLs to restrict access for clients that do not support cookies or require fixed URLs and Use signed cookies to enforce access control for users with configurable clients. Amazon CloudFront offers two access control methods for private content: signed URLs and signed cookies. Signed URLs are ideal for use cases where clients cannot support cookies or must work with static URLs, as the authorization is embedded in the URL itself. Signed cookies are more suitable for users with flexible HTTP clients that support cookies, allowing access to multiple restricted resources without changing URLs.

The option Implement AWS AppSync to control data flow and manage access to the content is incorrect because AppSync is designed for GraphQL-based APIs, not for serving or securing media content over CloudFront.

The choice Require JSON Web Tokens (JWT) to be passed by all clients for authorization is not appropriate because JWTs are not natively supported by CloudFront for access control and would require building custom authorization logic and possibly modifying clientssomething the scenario specifically wants to avoid.

The response Store credentials in AWS Secrets Manager and validate access through a custom authorization layer is not suitable. Secrets Manager is intended for managing secrets securely, not for media access control. Implementing a custom layer would add unnecessary complexity and impact client behavior.

This question is valuable for understanding secure content delivery with CloudFront and Amazon S3. A key tip is to assess client constraintswhen users can't change URLs or don't support cookies, signed URLs offer flexibility. Signed cookies are better for cases where multiple resources must be accessed without exposing credentials in URLs.

The tricky part is recognizing that different CloudFront access control mechanisms are best suited for different client capabilities, and the optimal solution often requires a hybrid approach to minimize user disruption.

Full AWS Practitioner Certification Question