AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Quick Answer

Answer-first summary for fast verification

Answer: Create an origin access identity (OAI). Assign the OAI to the CloudFront distribution. Configure the S3 bucket permissions so that only the OAI has read permission.

## Explanation The correct answer is **D** because: 1. **Origin Access Identity (OAI)** is specifically designed for this use case - to restrict direct access to S3 objects while allowing CloudFront to serve them. 2. **How OAI works**: - Create an OAI (a special CloudFront user) - Assign the OAI to the CloudFront distribution - Configure S3 bucket policy to allow access only to the OAI - This prevents direct S3 URL access while allowing CloudFront to fetch objects 3. **Why other options are incorrect**: - **A**: Writing individual policies for each bucket is inefficient and doesn't use the proper CloudFront mechanism - **B**: IAM users are for human/application access, not for CloudFront-to-S3 communication - **C**: CloudFront distribution ID cannot be used as a Principal in S3 bucket policies; OAI is the correct entity 4. **Best Practice**: Using OAI is the AWS-recommended approach for securing S3 origins behind CloudFront distributions. It ensures that content can only be accessed through CloudFront URLs, not directly via S3 URLs. 5. **Implementation Steps**: - Create OAI in CloudFront - Update CloudFront distribution to use OAI - Modify S3 bucket policy to grant `s3:GetObject` permission to the OAI - Optionally, remove any public access permissions from the S3 bucket

Author: LeetQuiz Editorial Team

Quick Answer

Answer-first summary for fast verification

Answer: Create an origin access identity (OAI). Assign the OAI to the CloudFront distribution. Configure the S3 bucket permissions so that only the OAI has read permission.

Author: LeetQuiz Editorial Team

Comments (0)

No comments yet.

A company is developing a file-sharing application that will use an Amazon S3 bucket for storage. The company wants to serve all the files through an Amazon CloudFront distribution. The company does not want the files to be accessible through direct navigation to the S3 URL. What should a solutions architect do to meet these requirements?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Write individual policies for each S3 bucket to grant read permission for only CloudFront access.

Create an IAM user. Grant the user read permission to objects in the S3 bucket. Assign the user to CloudFront.

Write an S3 bucket policy that assigns the CloudFront distribution ID as the Principal and assigns the target S3 bucket as the Amazon Resource Name (ARN).

Create an origin access identity (OAI). Assign the OAI to the CloudFront distribution. Configure the S3 bucket permissions so that only the OAI has read permission.