AWS Certified SysOps Administrator – Associate — Question 360

A SysOps administrator has an Amazon S3 website and wants to restrict access to a single Amazon CloudFront distribution. Visitors to the website should not be able to circumvent CloudFront or view the S3 website directly from the bucket.

Which AWS service or feature will meet these requirements?

Answer options

• A. S3 bucket ACL
• B. AWS Firewall Manager
• C. Amazon Route 53 private hosted zone
• D. Origin access identity (OAI)

Correct answer: D

Explanation

An origin access identity (OAI) is used to restrict access to an Amazon S3 bucket so that users can only access files through the specified Amazon CloudFront distribution. S3 bucket ACLs, AWS Firewall Manager, and Route 53 private hosted zones do not provide a mechanism to restrict direct S3 access to only permit CloudFront traffic.