Answer-first summary for fast verification
Answer: Configure Amazon CloudFront and Amazon S3 to use an origin access identity (OAI) to restrict access to the S3 bucket. Enable AWS WAF on the distribution.
## Explanation **Correct Answer: D** **Why Option D is correct:** 1. **Origin Access Identity (OAI)**: This is the recommended approach to secure S3 origins for CloudFront distributions. OAI creates a special CloudFront user that can access the S3 bucket, and the S3 bucket policy is configured to only allow access from this OAI. This prevents direct access to the S3 bucket from the internet. 2. **AWS WAF on CloudFront**: AWS WAF can be directly associated with CloudFront distributions to inspect incoming traffic before it reaches the origin. This is the standard way to implement WAF protection for CloudFront-served content. 3. **Combined security**: This approach provides layered security - WAF inspects traffic at the edge, and OAI restricts origin access to only CloudFront. **Why other options are incorrect:** **Option A**: AWS WAF doesn't have an ARN that can be used in S3 bucket policies. S3 bucket policies can restrict access based on CloudFront OAI, specific IP addresses, or other AWS services, but not directly to WAF ARN. **Option B**: CloudFront doesn't "forward" requests to AWS WAF. Instead, AWS WAF is integrated with CloudFront as a web ACL that inspects requests before they're processed by CloudFront. The traffic flow is: Client → AWS WAF (web ACL) → CloudFront → Origin. **Option C**: Security groups are for EC2 instances and VPC resources, not for S3 buckets. S3 uses bucket policies, not security groups. While associating WAF with CloudFront is correct, the security group approach for S3 is invalid. **Key AWS Services Integration:** - **CloudFront + S3 + OAI**: Standard pattern for static website hosting with CloudFront - **CloudFront + AWS WAF**: WAF web ACLs can be attached to CloudFront distributions for traffic inspection - **S3 bucket policies**: Used to restrict access to CloudFront OAI only This architecture ensures that: 1. All traffic is inspected by AWS WAF at the CloudFront edge 2. The S3 origin is protected from direct internet access via OAI 3. The solution follows AWS best practices for security and performance
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A solutions architect must design a solution that uses Amazon CloudFront with an Amazon S3 origin to store a static website. The company's security policy requires that all website traffic be inspected by AWS WAF. How should the solutions architect comply with these requirements?
A
Configure an S3 bucket policy to accept requests coming from the AWS WAF Amazon Resource Name (ARN) only.
B
Configure Amazon CloudFront to forward all incoming requests to AWS WAF before requesting content from the S3 origin.
C
Configure a security group that allows Amazon CloudFront IP addresses to access Amazon S3 only. Associate AWS WAF to CloudFront.
D
Configure Amazon CloudFront and Amazon S3 to use an origin access identity (OAI) to restrict access to the S3 bucket. Enable AWS WAF on the distribution.