According to the Microsoft documentation, a shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. You can provide a SAS to clients who don't otherwise have access to your storage account, and delegate access to them for a specified time period and with a specified set of permissions.
A SAS can be used to grant read-only access to a container and its blobs, as well as specify the allowed protocols (HTTP or HTTPS) and the start and expiry time of the access. For more information about creating and using SAS, see Using shared access signatures (SAS).
An access policy is not the correct answer because it is used to define a set of permissions and a time period for a container or a queue, but it does not grant access by itself. An access policy must be associated with a SAS to take effect. For more information about access policies, see Manage stored access policies for containers and queues.
Azure Content Delivery Network (CDN) is not the correct answer because it is used to cache and deliver content from Azure Storage or other sources, but it does not control the access permissions to the content. For more information about Azure CDN, see [What is Azure Content Delivery Network?].
Access keys are not the correct answer because they are used to authenticate requests to Azure Storage from any client, but they do not limit the access permissions or the protocols. Using access keys also exposes your storage account to potential unauthorized access if the keys are compromised. For more information about access keys, see [Manage storage account access keys].