AWS Certified SysOps Administrator – Associate — Question 206

A SysOps administrator needs to configure an Amazon S3 bucket to host a web application. The SysOps administrator has created the S3 bucket and has copied the static files for the web application to the S3 bucket.

The company has a policy that all $3 buckets must not be public.

What should the SysOps administrator do to meet these requirements?

Answer options

• A. Create an Amazon CloudFront distribution. Configure the S3 bucket as an origin with an origin access identity (OAI). Give the OAI the s3:GetObject permission in the S3 bucket policy.
• B. Configure static website hosting in the S3 bucket. Use Amazon Route 53 to create a DNS CNAME to point to the S3 website endpoint.
• C. Create an Application Load Balancer (ALB). Change the protocol to HTTPS in the ALB listener configuration. Forward the traffic to the S3 bucket.
• D. Create an accelerator in AWS Global Accelerator. Set up a listener configuration for port 443. Set the endpoint type to forward the traffic to the S3 bucket.

Correct answer: A

Explanation

The correct answer is A because using Amazon CloudFront with an origin access identity allows the S3 bucket to remain private while serving content securely. Option B is incorrect as enabling static website hosting would make the bucket public, violating the company's policy. Option C is not suitable since an ALB is not designed to directly forward traffic to an S3 bucket, and option D is also inappropriate as AWS Global Accelerator is not meant for routing traffic to S3 buckets.