AWS Certified Solutions Architect – Professional — Question 247

A media company has a static web application that is generated programmatically. The company has a build pipeline that generates HTML content that is uploaded to an Amazon S3 bucket served by Amazon CloudFront. The build pipeline runs inside a Build Account. The S3 bucket and CloudFront distribution are in a Distribution Account. The build pipeline uploads the files to Amazon S3 using an IAM role in the Build Account. The S3 bucket has a bucket policy that only allows CloudFront to read objects using an origin access identity (OAI). During testing all attempts to access the application using the CloudFront URL result in an
HTTP 403 Access Denied response.
What should a solutions architect suggest to the company to allow access the objects in Amazon S3 through CloudFront?

Answer options

• A. Modify the S3 upload process in the Build Account to add the bucket-owner-full-control ACL to the objects at upload.
• B. Create a new cross-account IAM role in the Distribution Account with write access to the S3 bucket. Modify the build pipeline to assume this role to upload the files to the Distribution Account.
• C. Modify the S3 upload process in the Build Account to set the object owner to the Distribution Account.
• D. Create a new IAM role in the Distribution Account with read access to the S3 bucket. Configure CloudFront to use this new role as its OAI. Modify the build pipeline to assume this role when uploading files from the Build Account.

Correct answer: B

Explanation

The correct answer is B because creating a cross-account IAM role in the Distribution Account with write access allows the build pipeline to upload files directly to the S3 bucket in the Distribution Account. Options A and C do not address the cross-account issue, and D incorrectly suggests that CloudFront should use an IAM role for OAI, which is not the correct approach for S3 access.