exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 139 discussion

A security engineer needs to set up an Amazon CloudFront distribution for an Amazon S3 bucket that hosts a static website. The security engineer must allow only specified IP addresses to access the website. The security engineer also must prevent users from accessing the website directly by using S3 URLs.

Which solution will meet these requirements?

  • A. Generate an S3 bucket policy. Specify cloudfront.amazonaws.com as the principal. Use the aws:SourceIp condition key to allow access only if the request comes from the specified IP addresses.
  • B. Create a CloudFront origin access control (OAC). Create the S3 bucket policy so that only the OAC has access. Create an AWS WAF web ACL, and add an IP set rule. Associate the web ACL with the CloudFront distribution.
  • C. Implement security groups to allow only the specified IP addresses access and to restrict S3 bucket access by using the CloudFront distribution.
  • D. Create an S3 bucket access point to allow access from only the CloudFront distribution. Create an AWS WAF web ACL and add an IP set rule. Associate the web ACL with the CloudFront distribution.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
5409b91
Highly Voted 6 months, 2 weeks ago
Selected Answer: B
Why Not Other Options? Option A: Specifying cloudfront.amazonaws.com as the principal with aws:SourceIp condition key in the bucket policy does not ensure that access is only through CloudFront, as it does not tie the access to a specific CloudFront distribution. Option C: Security groups cannot be used to control access to S3 buckets; they are used for controlling access to EC2 instances, among other resources. This approach would not meet the requirement. Option D: Using an S3 bucket access point is unnecessary when OACs and bucket policies can effectively manage the access requirements. Also, access points are more relevant for complex access control scenarios and do not inherently solve the issue of restricting direct S3 access via CloudFront.
upvoted 7 times
...
navid1365
Most Recent 4 months, 1 week ago
Selected Answer: B
B is the correct answer
upvoted 1 times
...
Certified101
6 months, 2 weeks ago
Selected Answer: B
B is correct
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...