Which solution will meet these requirements?
Add a second cache behavior to the distribution with the same origin as the default cache behavior. Set the path pattern for the second cache behavior to the path of the login page, and make viewer access unrestricted. Keep the default cache behavior’s settings unchanged.
Add a second cache behavior to the distribution with the same origin as the default cache behavior. Set the path pattern for the second cache behavior to *, and make viewer access restricted. Change the default cache behavior’s path pattern to the path of the login page, and make viewer access unrestricted.
Add a second origin as a failover origin to the default cache behavior. Point the failover origin to the S3 bucket. Set the path pattern for the primary origin to * and make viewer access restricted. Set the path pattern for the failover origin to the path of the login page, and make viewer access unrestricted.
Add a bucket policy to the S3 bucket to allow read access. Set the resource on the policy to the Amazon Resource Name (ARN) of the login page object in the S3 bucket. Add a CloudFront function to the default cache behavior to redirect unauthorized requests to the login page’s S3 URI.
Explanations:
Adding a second cache behavior for the login page allows unrestricted access for the login page while keeping the default cache behavior for private content with restricted access.
Changing the default cache behavior’s path pattern to the login page would block access to other content and does not fulfill the requirement of restricted access to private content.
Adding a failover origin is not necessary here since only the login page needs unrestricted access, and the content should be served from the same origin.
Modifying the bucket policy to allow read access for the login page object contradicts the security model of using the OAI to restrict access. A CloudFront function isn’t needed for this scenario.