AWS Certified Security – Specialty — Question 242

A company stores images for a website in an Amazon S3 bucket. The company is using Amazon CloudFront to serve the images to the end users. The company recently discovered that the images are being accessed form countries where the company does not have a distribution license.
Which actions should the company take to secure the images to limit their distribution? (Choose two.)

Answer options

• A. Update the S3 bucket policy to restrict access to a CloudFront origin access identity (OAI).
• B. Update the website DNS record to use an Amazon Route 53 geolocation record deny list of countries where the company lacks a license.
• C. Add a CloudFront geo restriction deny list of countries where the company lacks a license.
• D. Update the S3 bucket policy with a deny list of countries where the company lacks a license.
• E. Enable the Restrict Viewer Access option in CloudFront to create a deny list of countries where the company lacks a license.

Correct answer: A, C

Explanation

Option A is correct because updating the S3 bucket policy to restrict access to a CloudFront origin access identity (OAI) ensures that only CloudFront can access the S3 bucket, providing an additional layer of security. Option C is correct as it allows the company to configure geo restrictions directly in CloudFront to block requests from specific countries. The other options either do not directly address the issue or are not applicable in the context of securing access through CloudFront and S3.