A company is launching a web-based application in multiple regions around the world.The application consists of both static content stored in a private AmazonS3 bucket and dynamic content hosted in Amazon ECS containers content behind an Application Load Balancer (ALB).The company requires that the static and dynamic application content be accessible through Amazon CloudFront only.
Which combination of steps should a solutions architect recommend to restrict direct content access to CloudFront?
(Choose three.)
Create a web ACL in AWS WAF with a rule to validate the presence of a custom header and associate the web ACL with the ALB.
Create a web ACL in AWS WAF with a rule to validate the presence of a custom header and associate the web ACL with the CloudFront distribution.
Configure CloudFront to add a custom header to origin requests.
Configure the ALB to add a custom header to HTTP requests.
Update the S3 bucket ACL to allow access from the CloudFront distribution only.
Create a CloudFront Origin Access Identity (OAI) and add it to the CloudFront distribution. Update the S3 bucket policy to allow access to the OAI only.