AWS Certified Solutions Architect – Associate (SAA-C02) — Question 457

A company is developing a file-sharing application that will use an Amazon S3 bucket for storage. The company wants to serve all the files through an Amazon
CloudFront distribution. The company does not want the files to be accessible through direct navigation to the S3 URL.
What should a solutions architect do to meet these requirements?

Answer options

• A. Write individual policies for each S3 bucket to grant read permission for only CloudFront access.
• B. Create an IAM user. Grant the user read permission to objects in the S3 bucket. Assign the user to CloudFront.
• C. Write an S3 bucket policy that assigns the CloudFront distribution ID as the Principal and assigns the target S3 bucket as the Amazon Resource Name (ARN).
• D. Create an origin access identity (OAI). Assign the OAI to the CloudFront distribution. Configure the S3 bucket permissions so that only the OAI has read permission.

Correct answer: D

Explanation

Creating an Origin Access Identity (OAI) and associating it with the CloudFront distribution allows CloudFront to securely access S3 bucket contents. By updating the S3 bucket policy to allow read access only to this OAI, direct access to the S3 bucket via its direct URL is blocked. Other options, such as assigning an IAM user to CloudFront or directly setting the distribution ID as a principal in the bucket policy, are not supported methods for restricting S3 access to CloudFront.