What must be done to prevent users from accessing the S3 objects directly by using URLs?
Change the S3 bucket/object permission so that only the bucket owner has access.
Set up a CloudFront origin access identity (OAI), and change the S3 bucket/object permission so that only the OAI has access.
Create IAM roles for CloudFront, and change the S3 bucket/object permission so that only the IAM role has access.
Redirect S3 bucket access to the corresponding CloudFront distribution.
Explanations:
Changing the S3 bucket/object permission to allow only the bucket owner access does not prevent users from accessing the S3 objects directly if they have the correct URL. This option does not enforce routing through CloudFront.
Setting up a CloudFront origin access identity (OAI) allows CloudFront to access the S3 bucket while restricting direct access to the S3 objects. This ensures that only requests made through CloudFront can retrieve the content, effectively preventing bypassing of the distribution.
Creating IAM roles for CloudFront and changing the S3 bucket/object permissions to restrict access to the IAM role is not a typical method for controlling access in this scenario. CloudFront uses OAI specifically for this purpose, making this option unnecessary and incorrect.
Redirecting S3 bucket access to the CloudFront distribution does not prevent direct access to the S3 objects. Without proper permissions and access control, users could still access S3 URLs directly. This option does not enforce the desired restriction.
I sort that the answer is:
Set up a CloudFront origin access identity (OAI), and change the S3 bucket/object permission so that only the OAI has access.