Which combination of steps will meet these requirements?
(Choose two.)
Create an origin access identity (OAI) and associate it with the distribution. Change the permissions in the bucket policy so that only the OAI can read the objects.
Create an AWS WAF web ACL that includes the same IP restrictions that exist in the EC2 security group. Associate this new web ACL with the CloudFront distribution.
Create a new security group that includes the same IP restrictions that exist in the current EC2 security group. Associate this new security group with the CloudFront distribution.
Create a new security group that includes the same IP restrictions that exist in the current EC2 security group. Associate this new security group with the S3 bucket hosting the static content.
Create a new IAM role and associate the role with the distribution. Change the permissions either on the S3 bucket or on the files within the S3 bucket so that only the newly created IAM role has read and download permissions.
Explanations:
Using an OAI ensures that only CloudFront can access the S3 bucket, securing content delivery.
AWS WAF can enforce the same IP restrictions as the EC2 security group, enhancing security.
Security groups are not applicable to CloudFront; IP restrictions must be implemented via WAF.
Security groups cannot be associated with S3 buckets. IP-based restrictions require WAF or policies.
IAM roles do not provide IP-based restrictions directly. OAIs or WAFs are the correct solutions.
I outline that the answer is:
Create an origin access identity (OAI) and associate it with the distribution. Change the permissions in the bucket policy so that only the OAI can read the objects.