Which solution will meet these requirements?
Set up an S3 bucket policy with the aws:securetransport key. Configure the CloudFront origin access identity (OAI) with the S3 bucket. Configure CloudFront to use specific ciphers. Enforce the ALB with an HTTPS listener only and select the appropriate security policy for the ciphers. Link the ALB with AWS WAF to allow access from the CloudFront IP ranges.
Set up an S3 bucket policy with the aws:securetransport key. Configure the CloudFront origin access identity (OAI) with the S3 bucket. Enforce the ALB with an HTTPS listener only and select the appropriate security policy for the ciphers.
Modify the CloudFront distribution to use AWS WAF. Force HTTPS on the S3 bucket with specific ciphers in the bucket policy. Configure an HTTPS listener only for the ALB. Set up a security group to limit access to the ALB from the CloudFront IP ranges.
Modify the CloudFront distribution to use the ALB as the origin. Enforce an HTTP listener on the ALB. Create a path-based routing rule on the ALB with proxies that connect to Amazon S3. Create a bucket policy to allow access from these proxies only.
Explanations:
This option ensures HTTPS enforcement for data in transit by using CloudFront with specific ciphers, an HTTPS listener on the ALB, and an S3 bucket policy enforcing secure transport. The ALB is protected with AWS WAF to allow access from CloudFront IP ranges, ensuring internet-only access.
This option is missing AWS WAF for restricting access to CloudFront IP ranges, which is needed to meet the requirement for internet-only access.
Although it enforces HTTPS on the S3 bucket and the ALB, it relies on a security group to limit ALB access, which may not be the most effective method compared to using AWS WAF to restrict access to CloudFront IP ranges.
This option incorrectly enforces an HTTP listener on the ALB, which violates the requirement for HTTPS enforcement. Additionally, using path-based routing from the ALB to S3 is unnecessary and overly complex.