Which solution will meet these requirements?
Configure S3 Block Public Access on the S3 bucket. Update the S3 bucket policy to allow the GetObject action from only the CloudFront distribution.
Configure Origin Shield in the CloudFront distribution. Update the CloudFront origin to include a custom Origin_Shield header.
Create an origin access identity (OAI). Assign the OAI to the CloudFront distribution. Update the S3 bucket policy to restrict access to the OAI.
Create an origin access identity (OAI). Assign the OAI to the S3 bucket. Update the CloudFront origin to include a custom Origin header with the OAI value.
Explanations:
S3 Block Public Access prevents public access to the S3 bucket but does not specifically restrict access to CloudFront. The S3 bucket policy needs to restrict access to the CloudFront distribution, not just rely on Block Public Access.
Origin Shield is used to reduce latency by caching content in specific AWS regions and does not address restricting direct access to the S3 bucket. Adding a custom Origin_Shield header will not achieve the requirement.
Creating an Origin Access Identity (OAI) and assigning it to the CloudFront distribution ensures that only CloudFront can access the S3 bucket. Updating the S3 bucket policy to allow access only from the OAI enforces this restriction.
While using an OAI is correct, the option to assign the OAI directly to the S3 bucket is not accurate. The OAI is assigned to the CloudFront distribution, not the S3 bucket, and adding a custom Origin header is unnecessary.
From my point of view, the answer is:
Create an origin access identity (OAI). Assign the OAI to the CloudFront distribution. Update the S3 bucket policy to restrict access to the OAI.