What should a solutions architect do to meet these requirements?

By:
On:
In: SAA-C03
Tagged:
With: 0 Comments
A company is developing a file-sharing application that will use an Amazon S3 bucket for storage.The company wants to serve all the files through an Amazon CloudFront distribution.The company does not want the files to be accessible through direct navigation to the S3 URL.

What should a solutions architect do to meet these requirements?

Write individual policies for each S3 bucket to grant read permission for only CloudFront access.

Create an IAM user. Grant the user read permission to objects in the S3 bucket. Assign the user to CloudFront.

Write an S3 bucket policy that assigns the CloudFront distribution ID as the Principal and assigns the target S3 bucket as the Amazon Resource Name (ARN).

Create an origin access identity (OAI). Assign the OAI to the CloudFront distribution. Configure the S3 bucket permissions so that only the OAI has read permission.

Explanations:

Writing individual policies for each S3 bucket is inefficient and not scalable. A centralized solution is preferred.

Creating an IAM user for CloudFront does not restrict direct S3 access and is not the best practice for this scenario.

While assigning the CloudFront distribution ID as the Principal is a step towards securing access, it does not completely prevent direct access to the S3 bucket.

Creating an origin access identity (OAI) and configuring the S3 bucket to allow access only to the OAI ensures that files are accessible only through CloudFront, preventing direct access via the S3 URL.

Leave a Reply

Your email address will not be published. Required fields are marked *

13 − 11 =