ExpertMedium1 markMultiple Choice
AWS SAP-C02 · Question 55 · Domain 2.3: Security Controls
A company is using Amazon S3 to host a static website. They want to use Amazon CloudFront to distribute the content globally. They must ensure that users can ONLY access the content via CloudFront, and direct access to the S3 bucket URL is blocked. How should this be configured?
A company is using Amazon S3 to host a static website. They want to use Amazon CloudFront to distribute the content globally. They must ensure that users can ONLY access the content via CloudFront, and direct access to the S3 bucket URL is blocked. How should this be configured?
Answer options:
A.
Make the S3 bucket public and use CloudFront signed URLs.
B.
Configure Origin Access Control (OAC) in CloudFront and update the S3 bucket policy to allow access only from the CloudFront distribution.
C.
Use a VPC Endpoint for S3 and route CloudFront traffic through the VPC.
D.
Configure AWS WAF on the S3 bucket to block non-CloudFront IPs.
How to approach this question
Identify the mechanism to secure S3 origins behind CloudFront.
Full Answer
B.Configure Origin Access Control (OAC) in CloudFront and update the S3 bucket policy to allow access only from the CloudFront distribution.✓ Correct
Configure Origin Access Control (OAC) in CloudFront and update the S3 bucket policy to allow access only from the CloudFront distribution.
Origin Access Control (OAC) is the modern, secure way to restrict S3 bucket access to only a specific CloudFront distribution. The S3 bucket policy is updated to allow 's3:GetObject' only when the condition matches the CloudFront ARN.
Common mistakes
Using the legacy OAI or trying to attach WAF to S3.
Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 2
75 questions · hints · full answers · grading
More questions from this exam
Q01A company is setting up a multi-account AWS environment using AWS Organizations. They need to ens...EasyQ02An enterprise needs to connect its on-premises data center to AWS. They require a dedicated, priv...EasyQ03A company wants to share a single AWS Transit Gateway across multiple AWS accounts within their A...EasyQ04An architect needs to design a highly available database architecture that spans multiple AWS Reg...EasyQ05A global financial institution is migrating its core banking application to AWS. The application ...Medium