Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 131 discussion

I want to restrict access to my Amazon Simple Storage Service (Amazon S3) bucket so that objects can be accessed only through my Amazon CloudFront distribution. How can I do that? Create a CloudFront origin access identity (OAI) https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-access-to-amazon-s3/

The key reasons are: An OAI provides secure access between CloudFront and S3 without exposing the S3 bucket publicly. The OAI is associated with the CloudFront distribution. The S3 bucket policy limits access only to that OAI. This ensures only CloudFront can access the objects, not direct S3 access. Option A is complex to manage individual bucket policies. Option B exposes credentials that aren't needed. Option C works but OAI is the preferred method. So using an origin access identity provides the most secure way to serve private S3 content through CloudFront. The OAI prevents direct public access to the S3 bucket.

C would also work but missing important details in the answer D is legacy and architect should not recommend it

"If your users try to access objects using Amazon S3 URLs, they're denied access. The origin access identity has permission to access objects in your Amazon S3 bucket, but users don't." https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

To meet the requirements of serving files through CloudFront while restricting direct access to the S3 bucket URL, the recommended approach is to use an origin access identity (OAI). By creating an OAI and assigning it to the CloudFront distribution, you can control access to the S3 bucket. This setup ensures that the files stored in the S3 bucket are only accessible through CloudFront and not directly through the S3 bucket URL. Requests made directly to the S3 URL will be blocked. Option A suggests writing individual policies for each S3 bucket, which can be cumbersome and difficult to manage, especially if there are multiple buckets involved. Option B suggests creating an IAM user and assigning it to CloudFront, but this does not address restricting direct access to the S3 bucket URL. Option C suggests writing an S3 bucket policy with CloudFront distribution ID as the Principal, but this alone does not provide the necessary restrictions to prevent direct access to the S3 bucket URL.

DECEMBER 2022 UPDATE: Restricting access to an Amazon S3 origin: CloudFront provides two ways to send authenticated requests to an Amazon S3 origin: origin access control (OAC) and origin access identity (OAI). We recommend using OAC because it supports: All Amazon S3 buckets in all AWS Regions, including opt-in Regions launched after December 2022 Amazon S3 server-side encryption with AWS KMS (SSE-KMS) Dynamic requests (PUT and DELETE) to Amazon S3 OAI doesn't work for the scenarios in the preceding list, or it requires extra workarounds in those scenarios. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

The correct answer is D. To meet the requirements, the solutions architect should create an origin access identity (OAI) and assign it to the CloudFront distribution. The S3 bucket permissions should be configured so that only the OAI has read permission. An OAI is a special CloudFront user that is associated with a CloudFront distribution and is used to give CloudFront access to the files in an S3 bucket. By using an OAI, the company can serve the files through the CloudFront distribution while preventing direct access to the S3 bucket. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

D is the right answer

D is correct but instead of OAI using OAC would be better since OAI is legacy

D is correct