Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 205 discussion

The question here is whether the solution architect can change the requirement. The requirement says very clear about SFTP which cannot be addressed by option C. But the question also gives very clear hint about OAI which cannot be addressed by option D. Option D also doesn't mention anything about CloudFront which is part of the requirement of the question. So, if the requirement cannot be changed, D is the answer; if the requirement can be changed, C is the answer. But if the requirement can be changed, what's the limitation? That will be a Chaos. I'm voting C, and curse the question designer.

Hosting the website in a private S3 provides cost-effective and highly available storage for the static website content. By configuring a bucket policy to allow access from a CloudFront OAI, the S3 can be securely accessed only through CloudFront. This ensures that the website content is served through CloudFront while keeping the S3 private. Uploading website content using the AWS CLI allows for easy and efficient content management. A. Hosting the website on an Lightsail virtual server would introduce additional management overhead and costs compared to using S3 directly for static content hosting. B. Using an AWS ASG with EC2 instances and an ALB is not necessary for serving static website content. It would add unnecessary complexity and cost. D. While using AWS Transfer for SFTP allows for SFTP uploads, it introduces additional costs and complexity compared to directly uploading content to an S3 using the AWS CLI. Additionally, hosting the website content in a public S3 may not be desirable from a security standpoint.

"The company... use Amazon CloudFront" = C is the only option that mentions CloudFront.

This is another great example of how AWS creates crappy tests. Even internal Tests for employees have so many flaws that people is always creating tickets challenging Questions poorly worded.

Another reason why A is better than C: “ OAC helps you secure your origins, such as for Amazon S3. We recommend using OAC” “ If your origin is an Amazon S3 bucket configured as a website endpoint, you must set it up with CloudFront as a custom origin. That means you can't use OAC (or OAI)” https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

you can see in this figure that transfer family framework allows for the data to be available for a broad variety of use cases including content distribution (CF) https://d1.awsstatic.com/HIW%20SFTP%20Connectors%20v3.920176622d281d0bd087518827314169b496a055.png

I think the this is a big misleading " SFTP" ( doesn't usally upload) ，and it said clearly need Cloudfront and want a cheep solution. So I chose "C"

Transfering via AWS CLI is cheaper than via Transfer Family. It is not the best option, but will do the job of uploading the data to S3.

I'd go with D. In C there is no mention to S3 bucket being configured for web hosting. Simply adding the Cloudfront distribution and pointing that to the S3 won't work out of the box.

D - SFTP client to upload new documents.

D - SFTP client to upload new documents.

AWS transfer is a cost and doesn't mention using CloudFront https://aws.amazon.com/aws-transfer-family/pricing/

If you don't want to disable block public access settings for your bucket but you still want your website to be public, you can create a Amazon CloudFront distribution to serve your static website. For more information, see Use an Amazon CloudFront distribution to serve a static website in the Amazon Route 53 Developer Guide. https://docs.aws.amazon.com/AmazonS3/latest/userguide/WebsiteAccessPermissionsReqd.html

I at first thought D but it is in fact C because "D: Create a public Amazon S3 bucket. Configure AWS Transfer for SFTP. Configure the S3 bucket for website hosting. Upload website content by using the SFTP client." questions says that the company has decided to use Amazon Cloudfront and this answer does not reference using CF and setting S3 as the Origin "C. Create a private Amazon S3 bucket. Use an S3 bucket policy to allow access from a CloudFront origin access identity (OAI). Upload website content by using the AWS CLI." - mentions CF and the origin and the AWS CLI does infact support transfer by SFTP (which was the part I originally doubted but this link evidences that it does: https://docs.aws.amazon.com/cli/latest/reference/transfer/describe-server.html

Option C, creating a private Amazon S3 bucket and using an S3 bucket policy to allow access from a CloudFront origin access identity (OAI), would not be the most cost-effective solution. While it would allow the company to use Amazon S3 for storage, it would also require additional setup and maintenance of the OAI, which would add additional cost. Additionally, this solution would not allow the use of SFTP client for uploading content which is the current method used by the company.

The Answer is C https://medium.com/aws-poc-and-learning/how-to-access-s3-hosted-website-via-cloudfront-using-oai-origin-access-identity-720ad7c57f15

Option C is a better choice than D for following reasons: (1) Cost effective: data transfer is cheaper for Cloudfront than directly from S3 bucket (2) Resilient: recovery from failures. Having a Cloudfront distribution and making S3 bucket policy only for Cloudfront. ie. private bucket (with OAI for access) hardens and betters resiliency.