AWS Certified SysOps Administrator – Associate — Question 170

A SysOps administrator needs to configure a solution that will deliver digital content to a set of authorized users through Amazon CloudFront. Unauthorized users must be restricted from access.

Which solution will meet these requirements?

Answer options

• A. Store the digital content in an Amazon S3 bucket that does not have public access blocked. Use signed URLs to access the S3 bucket through CloudFront.
• B. Store the digital content in an Amazon S3 bucket that has public access blocked. Use an origin access identity (OAI) to deliver the content through CloudFront. Restrict S3 bucket access with signed URLs in CloudFront.
• C. Store the digital content in an Amazon S3 bucket that has public access blocked. Use an origin access identity (OAI) to deliver the content through CloudFront. Enable field-level encryption.
• D. Store the digital content in an Amazon S3 bucket that does not have public access blocked. Use signed cookies for restricted delivery of the content through CloudFront.

Correct answer: B

Explanation

The correct answer is B because it ensures that the S3 bucket is secure with public access blocked and allows CloudFront to access the content through an origin access identity (OAI), while signed URLs restrict access to authorized users. Option A fails to restrict access adequately, C introduces unnecessary complexity with field-level encryption, and D also does not secure the S3 bucket properly.