A company is building a file-sharing application that stores files in an Amazon S3 bucket and serves them via an Amazon CloudFront distribution. The company does not want users to access files directly through the S3 URL. What should a solutions architect do to satisfy these requirements?
Choose an answer
Tap an option to check your answer.
Correct answer: Create an origin access identity (OAI), assign the OAI to the CloudFront distribution, and configure the S3 bucket permissions so that only the OAI has read permission..
Why this is the answer
Creating an Origin Access Identity (OAI) is the correct and most secure method. An OAI is a special CloudFront user that CloudFront uses to access objects in your S3 bucket. By configuring the S3 bucket policy to grant read permissions only to this OAI, you prevent direct access to S3 objects via their S3 URLs, ensuring all requests go through CloudFront. Writing individual policies for each S3 bucket is inefficient and doesn't inherently restrict direct S3 access. Creating an IAM user and assigning it to CloudFront is not the standard or recommended practice for this specific integration; OAIs are designed for this purpose. Writing an S3 bucket policy with the CloudFront distribution ID as the Principal is incorrect syntax and not how CloudFront integrates with S3 for restricted access.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed