AWS Certified Solutions Architect – Associate (SAA-C02) — Question 124

A solutions architect is moving the static content from a public website hosted on Amazon EC2 instances to an Amazon S3 bucket. An Amazon CloudFront distribution will be used to deliver the static assets. The security group used by the EC2 instances restricts access to a limited set of IP ranges. Access to the static content should be similarly restricted.
Which combination of steps will meet these requirements? (Choose two.)

Answer options

• A. Create an origin access identity (OAI) and associate it with the distribution. Change the permissions in the bucket policy so that only the OAI can read the objects.
• B. Create an AWS WAF web ACL that includes the same IP restrictions that exist in the EC2 security group. Associate this new web ACL with the CloudFront distribution.
• C. Create a new security group that includes the same IP restrictions that exist in the current EC2 security group. Associate this new security group with the CloudFront distribution.
• D. Create a new security group that includes the same IP restrictions that exist in the current EC2 security group. Associate this new security group with the S3 bucket hosting the static content.
• E. Create a new IAM role and associate the role with the distribution. Change the permissions either on the S3 bucket or on the files within the S3 bucket so that only the newly created IAM role has read and download permissions.

Correct answer: A, B

Explanation

Option A is correct because creating an origin access identity (OAI) and modifying the bucket policy allows only CloudFront to access the S3 bucket, ensuring security. Option B is also correct as using an AWS WAF web ACL with the same IP restrictions as the EC2 security group helps maintain similar access controls. The other options do not effectively restrict access or are not applicable for controlling access to S3 content via CloudFront.