AWS Certified Security – Specialty — Question 55

In response to the past DDoS attack experiences, a Security Engineer has set up an Amazon CloudFront distribution for an Amazon S3 bucket. There is concern that some users may bypass the CloudFront distribution and access the S3 bucket directly.
What must be done to prevent users from accessing the S3 objects directly by using URLs?

Answer options

• A. Change the S3 bucket/object permission so that only the bucket owner has access.
• B. Set up a CloudFront origin access identity (OAI), and change the S3 bucket/object permission so that only the OAI has access.
• C. Create IAM roles for CloudFront, and change the S3 bucket/object permission so that only the IAM role has access.
• D. Redirect S3 bucket access to the corresponding CloudFront distribution.

Correct answer: B

Explanation

The correct answer is B because setting up a CloudFront origin access identity (OAI) ensures that only CloudFront can access the S3 bucket, thus preventing direct access by users. Option A is incorrect as it would restrict access to the bucket owner but not secure it against other users. Option C does not address the CloudFront distribution directly accessing the S3 bucket, while Option D does not provide a security mechanism to prevent direct access.