SAA-C03 exam practice questions with detailed answers Question 2
A company is working on a file-sharing application that will utilize an amazon s3 bucket for storage. The company intends to make all the files accessible through an amazon cloudfront distribution, and not directly through 53. What should be the solution architect’s course of action to meet this requirement?
A. Create specific policies for each s3 bucket, assigning read authorization exclusively to cloudfront access.
B. Establish an iam user with read access to 53 bucket objects and link the user to cloudfront.
C. Create an s3 bucket policy that identifies the cloudfront distribution id as the principal and the target s3 bucket as the amazon resource name (arn).
D. Generate an origin access identity (OAI), associating the OAI with the cloudfront distribution and adjust s3 bucket permissions to restrict access to only OAI for reading.
Let’s think and analyze the question options. What will be the correct answer?
Explanation:
- Scenario Analysis:
- The company wants files in the S3 bucket to only be accessible via CloudFront and not directly from S3.
- To achieve this, access to the S3 bucket must be restricted, and only the CloudFront distribution should have read access.
- Why Option D is Correct:
- Origin Access Identity (OAI) is a special CloudFront feature that ensures secure access between CloudFront and the S3 bucket.
- By associating the OAI with the CloudFront distribution, you grant CloudFront exclusive read access to the S3 bucket while preventing direct access to the bucket from the public.
- The bucket policy is updated to allow the OAI to read objects while denying public access.
- Why Other Options are Incorrect:
- A: Creating specific policies for the bucket does not address restricting access only to CloudFront or use OAI for secure access.
- B: IAM users are not required for this use case. IAM is used for programmatic access or human users, not CloudFront.
- C: You cannot directly assign a CloudFront distribution ID as a principal in an S3 bucket policy. This is not how CloudFront integrates with S3.
Solution:
- Create an OAI in CloudFront.
- Update the S3 bucket policy to allow read access only for the OAI.
- Deny all public access to the S3 bucket.
This ensures secure file access only through the CloudFront distribution.