A company is hosting a static website on Amazon S3 distributed via Amazon CloudFront. The company wants to ensure that users can only access the website through the CloudFront distribution and cannot access the S3 bucket directly via its S3 URL. <br/><br/>What should the solutions architect configure to meet this requirement?

Configure Origin Access Control (OAC) on the CloudFront distribution and update the S3 bucket policy to allow access only from the CloudFront OAC.

Create an IAM role for CloudFront and attach it to the S3 bucket.

Configure the S3 bucket as a website endpoint and use a custom header in CloudFront to authenticate requests.

Place the S3 bucket in a private VPC subnet and use a VPC endpoint for CloudFront.