AWS Certified Security – Specialty (SCS-C02) — Question 90

A company stores images for a website in an Amazon S3 bucket. The company is using Amazon CloudFront to serve the images to end users. The company recently discovered that the images are being accessed from countries where the company does not have a distribution license.

Which actions should the company take to secure the images to limit their distribution? (Choose two.)

Answer options

• A. Update the S3 bucket policy to restrict access to a CloudFront origin access control (OAC).
• B. Update the website DNS record to use an Amazon Route 53 geolocation record deny list of countries where the company lacks a license.
• C. Add a CloudFront geo restriction deny list of countries where the company lacks a license.
• D. Update the S3 bucket policy with a deny list of countries where the company lacks a license.
• E. Enable the Restrict Viewer Access option in CloudFront to create a deny list of countries where the company lacks a license.

Correct answer: A, C

Explanation

The correct answers, A and C, focus on securing access through the S3 bucket policy and implementing geo restrictions directly in CloudFront, which effectively prevents access from unauthorized countries. Options B, D, and E do not provide the most effective means of restricting access; for instance, updating DNS records or solely altering the S3 bucket policy without CloudFront involvement would not adequately enforce the necessary access controls.