AWS Certified Developer – Associate — Question 345

A developer is creating a photo website. Amazon Route 53 hosts the website’s domain. The developer wants to store the application code and images in an Amazon S3 bucket. The developer also wants to use Amazon CloudFront to deliver the images to users.

The developer has created the S3 bucket and a CloudFront distribution. The developer wants the images to be accessed only through the website’s domain. Users must not use the S3 URLs.

Which solution will meet these requirements?

Answer options

• A. Create a CloudFront origin access identity (OAI). Associate the OAI with the CloudFront distribution. Modify the S3 bucket policy to allow access from only the OAI. Create an alias in Route 53 that points the website domain to the S3 bucket.
• B. Create a CloudFront origin access identity (OAI). Associate the OAI with the CloudFront distribution. Modify the S3 bucket policy to allow access from only the OAI. Update the Route 53 records to point the website domain to the CloudFront domain name.
• C. Block public access in the S3 bucket policy. Configure CloudFront to use the S3 bucket endpoint. Create an alias in Route 53 that points the website domain to the S3 bucket.
• D. Block public access in the S3 bucket policy. Configure CloudFront to use the S3 bucket endpoint. Create an alias in Route 53 that points the website domain to the CloudFront domain name.

Correct answer: B

Explanation

To restrict access so that users can only view S3 bucket content through Amazon CloudFront, you must create a CloudFront Origin Access Identity (OAI) and modify the S3 bucket policy to permit access only to this OAI. Additionally, to ensure users access the website via the custom domain, Route 53 must point the custom domain name to the CloudFront distribution rather than directly to the S3 bucket. Other options fail because they either point Route 53 directly to S3 or block CloudFront from accessing the bucket contents.