ExpertAWS SAP-C02 · Question 18 · Domain 2.5: Performance
A media company streams video content globally. They use Amazon S3 for storage and Amazon CloudFront for delivery. Recently, they noticed a spike in S3 egress costs. Investigation reveals that users in certain countries are bypassing CloudFront and accessing the S3 bucket directly via its public URL. How can the Architect enforce that all access goes through CloudFront, preventing direct S3 access?
A media company streams video content globally. They use Amazon S3 for storage and Amazon CloudFront for delivery. Recently, they noticed a spike in S3 egress costs. Investigation reveals that users in certain countries are bypassing CloudFront and accessing the S3 bucket directly via its public URL. How can the Architect enforce that all access goes through CloudFront, preventing direct S3 access?
Answer options:
Configure CloudFront with Origin Access Control (OAC). Update the S3 bucket policy to allow s3:GetObject only from the CloudFront service principal.
Enable S3 Block Public Access. Create an IAM user for CloudFront and embed the access keys in the CloudFront origin settings.
Configure AWS WAF on the S3 bucket to block requests that do not contain a custom HTTP header added by CloudFront.
Use Amazon Route 53 geolocation routing to redirect direct S3 requests back to the CloudFront distribution.
How to approach this question
Full Answer
Common mistakes
Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 5
75 questions · hints · full answers · grading