AWS Certified Security – Specialty — Question 37

A Security Administrator has a website hosted in Amazon S3. The Administrator has been given the following requirements:
✑ Users may access the website by using an Amazon CloudFront distribution.
✑ Users may not access the website directly by using an Amazon S3 URL.
Which configurations will support these requirements? (Choose two.)

Answer options

• A. Associate an origin access identity with the CloudFront distribution.
• B. Implement a ג€Principalג€: ג€cloudfront.amazonaws.comג€ condition in the S3 bucket policy.
• C. Modify the S3 bucket permissions so that only the origin access identity can access the bucket contents.
• D. Implement security groups so that the S3 bucket can be accessed only by using the intended CloudFront distribution.
• E. Configure the S3 bucket policy so that it is accessible only through VPC endpoints, and place the CloudFront distribution into the specified VPC.

Correct answer: A, C

Explanation

The correct answers are A and C. Associating an origin access identity with the CloudFront distribution (A) allows CloudFront to access the S3 bucket on behalf of users, while modifying the S3 bucket permissions (C) ensures that only the origin access identity can retrieve the content, preventing direct access via S3 URLs. Options B, D, and E do not fully restrict access to the S3 bucket in the manner specified in the requirements.