AWS Certified SysOps Administrator – Associate (SOA-C03) — Question 69

A company's website runs on an Amazon EC2 Linux instance. The website needs to serve PDF files from an Amazon S3 bucket. All public access to S3 bucket is blocked at the account level. The company needs to allow website users to download the PDF files.

Which solution will meet these requirements with the LEAST administrative effort?

Answer options

• A. Create an IAM role that has a policy that allows s3:list* and s3:get* permissions. Assign the role to the EC2 instance. Assign a company employee to download requested PDF file to the EC2 instance and to deliver the files to website users. Create an AWS Lambda function to periodically delete local files.
• B. Create an Amazon CloudFront distribution that uses an origin access control (OAC) that points to the S3 bucket. Apply a bucket policy to the bucket to allow connections from the CloudFront distribution. Assign a company employee to provide a download URL that contains the distribution URL and the object path to users when users request PDF files.
• C. Change the S3 bucket permissions to allow public access on the source S3 bucket. Assign a company employee to provide a PDF file URL to users when users request the PDF files.
• D. Deploy an EC2 instance that has an 1AM instance profile to a public subnet. Use a signed URL from the EC2 instance to provide temporary access to the S3 bucket for website users.

Correct answer: B

Explanation

Option B is the most efficient solution as it leverages CloudFront to securely access the S3 bucket without exposing it publicly, while also minimizing administrative overhead. Option A requires manual intervention for file delivery, which increases effort; Option C compromises security by making the bucket public; and Option D introduces complexity by deploying an EC2 instance in a public subnet. Thus, B effectively meets the requirements with the least effort.