How should the solutions architect comply with these requirements?

By:
In: SAA-C03
Tagged:
With: 1 Comment
A solutions architect must design a solution that uses Amazon CloudFront with an Amazon S3 origin to store a static website.The company’s security policy requires that all website traffic be inspected by AWS WAF.

How should the solutions architect comply with these requirements?

Configure an S3 bucket policy to accept requests coming from the AWS WAF Amazon Resource Name (ARN) only.

Configure Amazon CloudFront to forward all incoming requests to AWS WAF before requesting content from the S3 origin.

Configure a security group that allows Amazon CloudFront IP addresses to access Amazon S3 only. Associate AWS WAF to CloudFront.

Configure Amazon CloudFront and Amazon S3 to use an origin access identity (OAI) to restrict access to the S3 bucket. Enable AWS WAF on the distribution.

Explanations:

S3 bucket policies cannot restrict access to AWS WAF ARNs. Instead, access should be controlled through CloudFront or origin access identities.

AWS WAF cannot be configured to inspect requests before they reach the S3 origin directly; it must be applied at the CloudFront level.

Security groups cannot be applied to S3; access control is done via bucket policies or OAI. AWS WAF needs to be associated with CloudFront, not directly with IPs.

Using an origin access identity (OAI) restricts S3 bucket access to CloudFront only. AWS WAF can be enabled on the CloudFront distribution to inspect traffic, complying with security policies.

2025-10-23

1 Comment

  1. Dylan
    Author

    I would say the answer is:
    Configure Amazon CloudFront and Amazon S3 to use an origin access identity (OAI) to restrict access to the S3 bucket. Enable AWS WAF on the distribution.

Leave a Reply

Your email address will not be published. Required fields are marked *

seven + 11 =