Q70 — AWS DVA-C02 Ch.2
Question 70 of 100 | ← Chapter 2
A company has an Amazon S3 bucket containing premium content. The company intends to restrict access to this content exclusively to its paying subscribers. The S3 bucket currently has default permissions—i.e., all objects are private—to prevent unauthorized public access. How can the company restrict download capability for premium content files in the S3 bucket to only paying subscribers?
- A. Apply a bucket policy allowing anonymous users to download content from the S3 bucket.
- B. Generate presigned object URLs for premium content files when a paying subscriber requests a download. ✓
- C. Add a bucket policy requiring multi-factor authentication (MFA) to access S3 bucket objects.
- D. Enable server-side encryption on the S3 bucket to prevent non-paying website visitors from accessing the data.
Correct Answer: B. Generate presigned object URLs for premium content files when a paying subscriber requests a download.
Explanation
Option B recommends generating presigned object URLs upon download requests from paying subscribers. This grants time-limited, authenticated access to specific objects without exposing them publicly or requiring permanent permissions. It enforces strict access control aligned with subscription status. Option A grants broad anonymous access, violating security requirements. Option C introduces MFA—a strong control—but doesn’t tie access to subscription status and adds operational friction. Option D encrypts data at rest but does not restrict access control or authenticate users. Thus, option B is the most appropriate and secure method.