AWS Certified SysOps Administrator – Associate — Question 468

An Amazon CloudFront distribution has a single Amazon S3 bucket as its origin. A SysOps administrator must ensure that users can access the S3 bucket only through requests from the CloudFront endpoint.
Which solution will meet these requirements?

Answer options

• A. Configure S3 Block Public Access on the S3 bucket. Update the S3 bucket policy to allow the GetObject action from only the CloudFront distribution.
• B. Configure Origin Shield in the CloudFront distribution. Update the CloudFront origin to include a custom Origin_Shield header.
• C. Create an origin access identity (OAI). Assign the OAI to the CloudFront distribution. Update the S3 bucket policy to restrict access to the OAI.
• D. Create an origin access identity (OAI). Assign the OAI to the S3 bucket. Update the CloudFront origin to include a custom Origin header with the OAI value.

Correct answer: C

Explanation

To restrict S3 bucket access so that users can only access content via CloudFront, an origin access identity (OAI) must be created and associated with the CloudFront distribution. The S3 bucket policy is then updated to grant read permissions exclusively to the OAI, thereby blocking direct public access to S3. Option D is incorrect because the OAI must be associated with the CloudFront distribution, not the S3 bucket, and custom headers are not used for OAI validation.