AWS Certified Security – Specialty — Question 328

A company has a web server in the AWS Cloud. The company will store the content for the web server in an Amazon S3 bucket. A security engineer must use an Amazon CloudFront distribution to speed up delivery of the content. None of the files can be publicly accessible from the S3 bucket direct.

Which solution will meet these requirements?

Answer options

• A. Configure the permissions on the individual files in the S3 bucket so that only the CloudFront distribution has access to them.
• B. Create an origin access identity (OAI). Associate the OAI with the CloudFront distribution. Configure the S3 bucket permissions so that only the OAI can access the files in the S3 bucket.
• C. Create an S3 role in AWS Identity and Access Management (IAM). Allow only the CloudFront distribution to assume the role to access the files in the S3 bucket.
• D. Create an S3 bucket policy that uses only the CloudFront distribution ID as the principal and the Amazon Resource Name (ARN) as the target.

Correct answer: B

Explanation

Creating an origin access identity (OAI) and associating it with the Amazon CloudFront distribution is the standard method to restrict access to an Amazon S3 bucket so that users can only access content through CloudFront. By updating the S3 bucket policy to allow access only to the OAI, direct public access to the S3 bucket is prevented. Other options, such as using IAM roles for CloudFront or using the distribution ID directly as a principal in the bucket policy, are not supported mechanisms for S3 origin security.