AWS Certified Security – Specialty — Question 278

A company's security engineer is configuring Amazon S3 permissions to ban all current and future public buckets. However, the company hosts several websites directly off S3 buckets with public access enabled.
The engineer needs to block the public S3 buckets without causing any outages on the existing websites. The engineer has set up an Amazon CloudFront distribution for each website.
Which set of steps should the security engineer implement next?

Answer options

• A. Configure an S3 bucket as the origin with an origin access identity (OAI) for the CloudFront distribution. Switch the DNS records for websites to point to the CloudFront distribution. Enable block public access settings at the account level.
• B. Configure an S3 bucket as the origin with an origin access identity (OAI) for the CloudFront distribution. Switch the DNS records for the websites to point to the CloudFront distribution. Then, for each S3 bucket, enable block public access settings.
• C. Configure an S3 bucket as the origin with an origin access identity (OAI) for the CloudFront distribution. Enable block public access settings at the account level.
• D. Configure an S3 bucket as the origin for the CloudFront distribution. Configure the S3 bucket policy to accept connections from the CloudFront points of presence only. Switch the DNS records for the websites to point to the CloudFront distribution. Enable block public access settings at the account level.

Correct answer: A

Explanation

Enabling S3 Block Public Access at the account level is the only way to ensure all current and future buckets are restricted. Using an Origin Access Identity (OAI) ensures that CloudFront can securely retrieve content from the private S3 buckets. Updating the DNS records guarantees that users are redirected to CloudFront rather than attempting to access the S3 buckets directly, preventing any website downtime.