Which action should the Administrator take to ensure that users access objects in Amazon S3 by using only CloudFront URLs?
Encrypt the S3 bucket content with Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
Create an origin access identity and grant it permissions to read objects in the S3 bucket
Assign an IAM user to the CoudFront distribution and whitelist the IAM user in the S3 bucket policy
Assign an IAM role to the CloudFront distribution and whitelist the IAM role in the S3 bucket policy
Explanations:
Encrypting the S3 bucket content with SSE-S3 does not restrict access to the bucket and does not ensure that objects are accessed only through CloudFront URLs.
Creating an origin access identity (OAI) for CloudFront and granting it permissions to read objects from the S3 bucket ensures that users can only access the objects through CloudFront URLs and not directly from S3.
Assigning an IAM user to the CloudFront distribution and whitelisting the IAM user in the S3 bucket policy is unnecessary and overly complex. OAI is the preferred method for this purpose.
Assigning an IAM role to the CloudFront distribution and whitelisting the IAM role in the S3 bucket policy is not the correct approach. The OAI method is simpler and more appropriate.