Which action should the administrator take to ensure that users access objects in Amazon S3 by using only CloudFront URLs?

By:
On:
In: SOA-C02
Tagged:
With: 0 Comments
A SysOps administrator is reviewing AWS Trusted Advisor warnings and encounters a warning for an S3 bucket policy that has open access permissions.While discussing the issue with the bucket owner, the administrator realizes the S3 bucket is an origin for an Amazon CloudFront web distribution.

Which action should the administrator take to ensure that users access objects in Amazon S3 by using only CloudFront URLs?

Encrypt the S3 bucket content with Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3).

Create an origin access identity and grant it permissions to read objects in the S3 bucket.

Assign an IAM user to the CloudFront distribution and grant the user permissions in the S3 bucket policy.

Assign an IAM role to the CloudFront distribution and grant the role permissions in the S3 bucket policy.

Explanations:

Encrypting the S3 bucket content with SSE-S3 provides data-at-rest encryption, but it does not restrict access to the S3 bucket to only CloudFront URLs.

Creating an origin access identity (OAI) and granting it permissions to read objects in the S3 bucket restricts direct access to the bucket, allowing access only through CloudFront.

Assigning an IAM user to CloudFront is not a supported or recommended method for restricting S3 access to only CloudFront URLs.

CloudFront does not support using IAM roles directly to control access to S3 objects. An origin access identity (OAI) is the correct way to limit access to CloudFront only.

Leave a Reply

Your email address will not be published. Required fields are marked *

nineteen − 2 =