What should a solutions architect do to meet these requirements?
Write individual policies for each S3 bucket to grant read permission for only CloudFront access.
Create an IAM user. Grant the user read permission to objects in the S3 bucket. Assign the user to CloudFront.
Write an S3 bucket policy that assigns the CloudFront distribution ID as the Principal and assigns the target S3 bucket as the Amazon Resource Name (ARN).
Create an origin access identity (OAI). Assign the OAI to the CloudFront distribution. Configure the S3 bucket permissions so that only the OAI has read permission.
Explanations:
Writing individual policies for each S3 bucket is impractical, especially if there are multiple buckets. It complicates management and does not effectively prevent direct access to S3 URLs since the bucket policies are not specifically tied to CloudFront.
Creating an IAM user with read permissions does not prevent direct access to S3 URLs. CloudFront does not use IAM users for accessing S3; it uses an origin access identity to manage permissions securely.
While writing a bucket policy that assigns the CloudFront distribution ID as the Principal could allow CloudFront to access the S3 bucket, it does not fully restrict direct access via S3 URLs. Therefore, it does not meet the requirement of preventing direct navigation.
Creating an origin access identity (OAI) and assigning it to the CloudFront distribution ensures that only CloudFront can access the S3 bucket. The S3 bucket permissions can then be configured to allow read access only for the OAI, effectively preventing any direct access through S3 URLs.