Distributing Objects with S3 Bucket and CloudFront: Implementation Steps

Implementation Steps for Distributing Objects with S3 Bucket and CloudFront

Question

Your company is planning to use an S3 bucket and a CloudFront distribution to distribute objects to users worldwide.

They want to ensure that users can only access the objects via the CloudFront URLs.

Which of the following implementation steps need to be carried out? Choose 2 answers from the options given below.

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - B and D.

This is mentioned in the AWS Documentation.

To ensure that your users access your objects using only CloudFront URLs, regardless of whether the URLs are signed, perform the following tasks.

1

Create an origin access identity, which is a special CloudFront user, and associate the origin access identity with your distribution.

(For web distributions, you associate the origin access identity with origins.

So you can secure all or just some of your Amazon S3 content.)

2

Change the permissions either on your Amazon S3 bucket or on the objects in your bucket.

So only the origin access identity has read permission (or read and download permission)

Since the documentation gives the recommended steps, the other options are invalid.

For more information on serving private content via CloudFront, please visit the below URL.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

To ensure that users can only access the objects via the CloudFront URLs, you need to carry out the following implementation steps:

  1. Create an Origin Access Identity (OAI): An OAI is a special CloudFront user that you can associate with your Amazon S3 bucket. When you create an OAI, it generates a special CloudFront domain name that you can use as the origin of your distribution. By using the OAI, you can ensure that users only access objects through the CloudFront distribution.

  2. Change the bucket permissions: You need to change the permissions on the S3 bucket so that only the OAI has read permissions. You can accomplish this by creating a bucket policy that grants the OAI access to the bucket. By doing this, you are preventing users from accessing the objects directly using the S3 URLs.

Therefore, the correct answers are B and D.

Creating an IAM user with the desired Access Keys (Answer A) is not necessary for this implementation, as CloudFront doesn't require users to have an AWS account to access content.

Changing the permissions on the bucket for IAM users to have read permission (Answer C) is not the recommended approach because it could allow unauthorized access to the S3 bucket. Instead, the OAI should be used to control access to the bucket.