You are building a large-scale confidential documentation web server on AWS, and all of the documentation for it will be stored on S3
One of the requirements is that it cannot be publicly accessible from S3 directly.
You will need to use CloudFront to accomplish this.
Which of the methods listed below would satisfy the requirements as outlined? Choose an answer from the options below.
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: B.
Option A is incorrect because you need to create an Origin Access Identity for Cloudfront and not an IAM user for CloudFront which grants access to the objects in your S3 bucket.
Option B is CORRECT because if you want to allow content from S3 over CloudFront and not being publically available (URLs), you can S3 as an Origin Identity access, and this will make sure S3 contents are only being accessed via CloudFront.
Option C is incorrect because this would not be an efficient way to allow S3 as an Origin for CloudFront as per AWS best practices.
Option D is incorrect because by implementing this CloudFront would not be able to serve from S3 as the origin identity seems missing.
This also does not solve the problem of users directly using URLs to the S3 bucket to access a file there.
For more information on Origin Access Identity, please refer to the below URL:
http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.htmlTo ensure that your confidential documentation web server on AWS is not publicly accessible from S3 directly, you need to use CloudFront. CloudFront is a Content Delivery Network (CDN) provided by AWS that helps deliver content to users with low latency and high transfer speeds.
To accomplish this, you can use an Origin Access Identity (OAI). An OAI is a special CloudFront user that you can associate with an Amazon S3 bucket. When you create an OAI, it has a unique Amazon S3 Canonical User ID, which you can use to restrict access to the S3 bucket. By granting permission to the OAI, you can restrict access to the S3 bucket to only requests that come through the associated CloudFront distribution.
Option B, Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAI, would satisfy the requirements as outlined.
Let's look at the other options:
Option A, Create an Identity and Access Management (IAM) User for CloudFront and grant access to the objects in your S3 bucket to that IAM User, is not the best solution. IAM users are intended for granting access to AWS services and resources, but CloudFront uses its own set of identities called CloudFront users. IAM users cannot be used to restrict access to S3 objects from CloudFront. Therefore, option A is not the correct answer.
Option C, Create individual policies for each bucket the documents are stored in and in that policy grant access to only CloudFront, is also not the best solution. Creating an individual policy for each bucket is not scalable, especially if you have a large number of buckets. Additionally, you cannot restrict access to an S3 bucket based on the IP address or domain name of the requester. Therefore, option C is not the correct answer.
Option D, Create an S3 bucket policy that lists the CloudFront distribution ID as the Principal and the target bucket as the Amazon Resource Name (ARN), is similar to option B but not the best solution. With an S3 bucket policy, you can define which AWS accounts or users are granted access to your bucket. While it is possible to grant access to a CloudFront distribution in an S3 bucket policy, this method does not provide the same level of control as using an OAI. By using an OAI, you can restrict access to your S3 bucket to only requests that come through the associated CloudFront distribution. Therefore, option D is not the best answer.
In conclusion, the correct option to satisfy the requirements as outlined is option B, Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAI.