AWS Certified Developer – Associate (DVA-C02) — Question 323

A developer is creating a publicly accessible enterprise website consisting of only static assets. The developer is hosting the website in Amazon S3 and serving the website to users through an Amazon CloudFront distribution. The users of this application must not be able to access the application content directly from an S3 bucket. All content must be served through the Amazon CloudFront distribution.

Which solution will meet these requirements?

Answer options

• A. Create a new origin access control (OAC) in CloudFront. Configure the CloudFront distribution's origin to use the new OAC. Update the S3 bucket policy to allow CloudFront OAC with read and write access to access Amazon S3 as the origin.
• B. Update the S3 bucket settings. Enable the block all public access setting in Amazon S3. Configure the CloudFront distribution's with Amazon S3 as the origin. Update the S3 bucket policy to allow CloudFront write access.
• C. Update the S3 bucket's static website settings. Enable static website hosting and specifying index and error documents. Update the CloudFront origin to use the S3 bucket's website endpoint.
• D. Update the CloudFront distribution's origin to send a custom header. Update the S3 bucket policy with a condition by using the aws:RequestTag/tag-key key. Configure the tag-key as the custom header name, and the value being matched is the header's value.

Correct answer: A

Explanation

Using Amazon CloudFront Origin Access Control (OAC) is the recommended best practice to restrict access to an Amazon S3 bucket origin so that content can only be accessed through CloudFront. By configuring OAC and updating the S3 bucket policy to allow access to the OAC, direct public access to the S3 bucket is securely blocked. Other options, such as using the S3 website endpoint, require the S3 bucket to remain public, which violates the requirement to block direct bucket access.