AWS Certified Solutions Architect – Associate (SAA-C03) — Question 161

A solutions architect must design a solution that uses Amazon CloudFront with an Amazon S3 origin to store a static website. The company’s security policy requires that all website traffic be inspected by AWS WAF.

How should the solutions architect comply with these requirements?

Answer options

• A. Configure an S3 bucket policy to accept requests coming from the AWS WAF Amazon Resource Name (ARN) only.
• B. Configure Amazon CloudFront to forward all incoming requests to AWS WAF before requesting content from the S3 origin.
• C. Configure a security group that allows Amazon CloudFront IP addresses to access Amazon S3 only. Associate AWS WAF to CloudFront.
• D. Configure Amazon CloudFront and Amazon S3 to use an origin access identity (OAI) to restrict access to the S3 bucket. Enable AWS WAF on the distribution.

Correct answer: D

Explanation

The correct answer is D because using an origin access identity (OAI) allows Amazon CloudFront to securely access the S3 bucket while restricting direct public access, and enabling AWS WAF on the distribution ensures that all traffic is inspected. Option A incorrectly focuses on bucket policy rather than the necessary integration with CloudFront and WAF. Option B suggests forwarding requests to WAF, which is not how WAF integrates with CloudFront. Option C incorrectly relies on security groups, which do not apply to S3 bucket access from CloudFront.