Which actions should the company take to secure the images to limit their distribution?
(Choose two.)
Update the S3 bucket policy to restrict access to a CloudFront origin access identity (OAI).
Update the website DNS record to use an Amazon Route 53 geolocation record deny list of countries where the company lacks a license.
Add a CloudFront geo restriction deny list of countries where the company lacks a license.
Update the S3 bucket policy with a deny list of countries where the company lacks a license.
Enable the Restrict Viewer Access option in CloudFront to create a deny list of countries where the company lacks a license.
Explanations:
Updating the S3 bucket policy to restrict access to a CloudFront origin access identity (OAI) ensures that only CloudFront can access the S3 bucket directly, blocking direct access to S3 from other sources. This helps control and secure access to the images.
A Route 53 geolocation record can be used to route traffic, but it doesn’t control access at the S3 or CloudFront level. Geolocation routing in Route 53 cannot restrict access to images from specific countries.
Adding a CloudFront geo restriction deny list allows the company to block access to the images from countries where they don’t have distribution rights. This is a key security feature in CloudFront to limit geographic access.
S3 bucket policies do not support geolocation-based restrictions. They can restrict access based on IP, but not directly by country. Geo-restrictions need to be implemented at the CloudFront level.
The “Restrict Viewer Access” option in CloudFront is used to limit access to viewers with signed URLs or cookies, not for country-based restrictions. For geo-restrictions, the geo-blocking feature should be used instead.