Answer D. Use an OAI to lockdown CloudFront to S3 origin & enable WAF on CF distribution

By configuring CloudFront to forward all incoming requests to AWS WAF, the traffic will be inspected by AWS WAF before reaching the S3 origin, complying with the security policy requirement. This approach ensures that all website traffic is inspected by AWS WAF, providing an additional layer of security before accessing the content stored in the S3 origin. Option A is not the correct choice as configuring an S3 bucket policy to accept requests from the AWS WAF ARN only would bypass the inspection of traffic by AWS WAF. It does not ensure that all website traffic is inspected. Option C is not the optimal solution as it focuses on controlling access to S3 using a security group. Although it associates AWS WAF with CloudFront, it does not guarantee that all incoming requests are inspected by AWS WAF. Option D is not the recommended solution as configuring an OAI in CloudFront and restricting access to the S3 bucket does not ensure that all website traffic is inspected by AWS WAF. The OAI is used for restricting direct access to S3 content, but the traffic should still pass through AWS WAF for inspection.

The requirements indicate that S3 is used to "store" a static website, not that it must be configured as a static website (which does not make any sense if it's to be used with CF anyway). Furthermore, the requirements also indicate that all traffic must be inspected by WAF. If you do not setup OAI/OAC, you can potentially bypass CF and access S3 directly. So option B does not satisfy the second requirement.

Using an OAI (Origin Access Identity) restricts access to the S3 bucket, ensuring that only CloudFront can access the content. Enabling AWS WAF on the CloudFront distribution allows you to inspect website traffic and filter out malicious requests before they reach your S3 origin.

OAI is required so that S3 bucket is not accessed directly.

I guess D

There are two ways you can serve static websites on AWS S3 origin, either using website endpoints or REST API endpoints. Website endpoints does not support HTTPS. Note that the question does not mention which endpoint is used. https://docs.aws.amazon.com/AmazonS3/latest/userguide/WebsiteEndpoints.html#WebsiteRestEndpointDiff B is incorrect because we do not 'forward' requests to AWS WAF, we attach WAF on the Cloudfront distribution itself. Could be bad wording of the question. D is totally valid because it doesn't mention using website endpoints. D also uses OAI to restrict direct access to objects in AWS S3. Although OAI is still viable in this point of time, it is still a legacy method and it is more recommended to use OAC instead. https://repost.aws/knowledge-center/cloudfront-serve-static-website

Option B ensures that all incoming requests to the static website served through Amazon CloudFront are first forwarded to AWS WAF for inspection before the content is requested from the S3 origin. This ensures that all website traffic is inspected by AWS WAF as required by the company's security policy.

D is not possible since you cannot set OAC or OAI if S3 bucket is used as static website host

WAF is associated to a Cloudfront Distribution

A: Doesn't make sense in context with CF. B: You configure WAF on CF for HTTP status handling so this may be right be is badly worded C: You might as well re-engineer S3 and CloudFront! D: The requirement for WAF usage is met with this. Doesn't have to be smart usage, just enabled.

some people use below link as supported point, but when you look into link, AWF is in front of CloudFront from traffic view. So, B is incorrect because 'there is no CloudFront forward requesting to ACL.' https://aws.amazon.com/blogs/security/how-to-enhance-amazon-cloudfront-origin-security-with-aws-waf-and-aws-secrets-manager/

B. Configure Amazon CloudFront to forward all incoming requests to AWS WAF before requesting content from the S3 origin. This option ensures that all website traffic passes through AWS WAF for inspection before reaching the S3 origin, complying with the security policy requirements. I appreciate your thorough analysis.

It's storage, not web endpoint.so It's http://[bucket-name].s3.[region].amazonaws.com ，and oai can be used

This resolution doesn't apply to S3 origins that are configured as a website endpoint. For example, AWSDOC-EXAMPLE-BUCKET.s3-website-us-east-1.amazonaws.com.

WAF is not a destination. WAF is attached to something to inspect traffic (ALB, CloudFront etc), so D is the correct answer.

voting B because of inspecting traffic