Which AWS service or feature will meet these requirements?

By:
In: SOA-C02
Tagged:
With: 2 Comments
A SysOps administrator has an Amazon S3 website and wants to restrict access to a single Amazon CloudFront distribution.Visitors to the website should not be able to circumvent CloudFront or view the S3 website directly from the bucket.

Which AWS service or feature will meet these requirements?

S3 bucket ACL

AWS Firewall Manager

Amazon Route 53 private hosted zone

Origin access identity (OAI)

Explanations:

S3 bucket ACLs can be used to control access to the bucket, but they do not prevent direct access to the S3 website. Visitors could still access the S3 bucket directly if they know the URL.

AWS Firewall Manager is designed for managing security policies across AWS accounts and does not directly control access to S3 buckets or CloudFront distributions. It is not applicable for restricting S3 access to CloudFront.

An Amazon Route 53 private hosted zone is used for managing DNS within a private network and does not provide any mechanism to restrict access to an S3 bucket via CloudFront. It does not apply to the requirement of securing S3 access.

Origin access identity (OAI) is a special CloudFront feature that allows you to restrict access to the S3 bucket so that only requests coming through CloudFront can access the bucket. This ensures that users cannot access the S3 website directly.

2026-03-26

2 Comments

  1. Donna
    Author

    I compute that the answer is:
    Origin access identity (OAI)

  2. Gabriel
    Author

    I conclude that the answer is:
    Origin access identity (OAI)

Leave a Reply

Your email address will not be published. Required fields are marked *

14 − five =