Create an IAM policy and an IAM role that allow access to the first S3 bucket. Assign the role to the CloudFront

distribution and the other resources that need access to the first S3bucket. Create an origin access identity (OAI) for the

CloudFront distribution. Create an S3 bucket policy for the the second S3 bucket that allows access only with the OAI

as the principal.

Create a separate S3 bucket policy for each S3 bucket. Configure the policy for the first S3 bucket to allow read

access to appropriate AWS resources and the CloudFront distribution as principals. Configure the policy for the second S3 bucket to allow only read access for the CloudFront distribution as the principal.

Create a separate origin access identity (OAI) for the CloudFront distribution for each S3 bucket.

Configure the first OAI to include access for the other AWS resources Configure the second OAI to include only

CloudFront. Update the S3 bucket policies to restrict access to the correct OAIs.

Create a separate origin access identity (OAI) for the CloudFront distribution for each S3 bucket. Create an S3 bucket

policy for the first S3 bucket that allows access to the appropriate AWS resources and the OAI as principals Create an

S3

bucket policy for the the second S3 bucket that allows access to the appropriate OAI as the principal.