Which solution meets these requirements?

By:
In: SCS-C01
Tagged:
With: 1 Comment
A city is implementing an election results reporting website that will use Amazon CloudFront.The website runs on a fleet of Amazon EC2 instances behind anApplication Load Balancer (ALB) in an Auto Scaling group.Election results are updated hourly and are stored as .pdf files in an Amazon S3 bucket.A security engineer needs to ensure that all external access to the website goes through CloudFront.

Which solution meets these requirements?

Create an IAM role that allows CloudFront to access the specific S3 bucket. Modify the S3 bucket policy to allow only the new IAM role to access its contents. Create an interface VPC endpoint for CloudFront to securely communicate with the ALB.

Create an IAM role that allows CloudFront to access the specific S3 bucket. Modify the S3 bucket policy to allow only the new IAM role to access its contents. Associate the ALB with a security group that allows only incoming traffic from the CloudFront service to communicate with the ALB.

Create an origin access identity (OAI) in CloudFront. Modify the S3 bucket policy to allow only the new OAI to access the bucket contents. Create an interface VPC endpoint for CloudFront to securely communicate with the ALB.

Create an origin access identity (OAI) in CloudFront. Modify the S3 bucket policy to allow only the new OAI to access the bucket contents. Associate the ALB with a security group that allows only incoming traffic from the CloudFront service to communicate with the ALB.

Explanations:

Using an IAM role for CloudFront to access S3 is incorrect, as CloudFront accesses S3 through an origin access identity (OAI), not IAM roles. Additionally, creating an interface VPC endpoint for CloudFront is unnecessary for communication with the ALB.

IAM roles are not used for CloudFront to access S3; an origin access identity (OAI) is required. Also, creating a security group for the ALB to only allow CloudFront access is a partial solution but does not guarantee the exclusive access through CloudFront.

While using an origin access identity (OAI) for S3 is correct, creating an interface VPC endpoint for CloudFront is unnecessary. CloudFront does not require VPC endpoints for communication with ALB when the ALB is publicly accessible.

This is the correct solution. Using an origin access identity (OAI) for CloudFront to access S3 and modifying the bucket policy is the right approach. Additionally, associating the ALB with a security group that restricts incoming traffic to only CloudFront ensures that all external access goes through CloudFront.

2025-10-11

1 Comment

  1. Ann
    Author

    I think the answer is:
    Create an origin access identity (OAI) in CloudFront. Modify the S3 bucket policy to allow only the new OAI to access the bucket contents. Associate the ALB with a security group that allows only incoming traffic from the CloudFront service to communicate with the ALB.

Leave a Reply to Ann Cancel reply

Your email address will not be published. Required fields are marked *

4 × three =