A solutions architect must design a static website using Amazon CloudFront with an Amazon S3 origin. The company’s security policy requires that all website traffic be inspected by AWS WAF. How should the solutions architect meet this requirement?
Choose an answer
Tap an option to check your answer.
Correct answer: Configure Amazon CloudFront and Amazon S3 to use an origin access identity (OAI) to restrict access to the S3 bucket. Enable AWS WAF on the distribution..
Why this is the answer
The correct approach is to configure an Origin Access Identity (OAI) for CloudFront to restrict direct access to the S3 bucket, ensuring all requests go through CloudFront. Then, enable AWS WAF directly on the CloudFront distribution. CloudFront integrates natively with WAF, allowing WAF to inspect all traffic before it reaches the S3 origin via CloudFront. Incorrect options: An S3 bucket policy cannot directly accept requests based on an AWS WAF ARN. WAF operates at the CloudFront level. CloudFront does not "forward" requests to WAF as a separate step; WAF is integrated directly with the CloudFront distribution. Security groups are not applicable to S3 buckets, which are object storage, not EC2 instances.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed