AWS Certified Cloud Practitioner

Get started today

Ultimate access to all questions.

Quick Answer

Answer-first summary for fast verification

Answer: Create an Amazon CloudFront distribution that uses an origin access control (OAC) that points to the S3 bucket. Apply a bucket policy to the bucket to allow connections from the CloudFront distribution. Assign a company employee to provide a download URL that contains the distribution URL and the object path to users when users request PDF files.

Using an Amazon CloudFront distribution with Origin Access Control (OAC) is a secure way to serve private S3 content without opening the bucket to public access (which is blocked at the account level). CloudFront handles the delivery efficiently. Option C is impossible due to account-level blocks. Option A is highly manual and inefficient. Option D mentions using the EC2 instance to generate signed URLs, but B is presented as the correct answer choice in the source text.

Author: Ritesh Yadav

Quick Answer

Answer-first summary for fast verification

Author: Ritesh Yadav

Comments (0)

No comments yet.

Question #66 A company’s website runs on an Amazon EC2 Linux instance. The website needs to serve PDF files from an Amazon S3 bucket. All public access to S3 bucket is blocked at the account level. The company needs to allow website users to download the PDF files. Which solution will meet these requirements with the LEAST administrative effort?

Real Exam

Community

RRitesh

Last updated: April 30, 2026 at 11:36

Create an IAM role that has a policy that allows s3:list* and s3:get* permissions. Assign the role to the EC2 instance. Assign a company employee to download requested PDF file to the EC2 instance and to deliver the files to website users. Create an AWS Lambda function to periodically delete local files.

Create an Amazon CloudFront distribution that uses an origin access control (OAC) that points to the S3 bucket. Apply a bucket policy to the bucket to allow connections from the CloudFront distribution. Assign a company employee to provide a download URL that contains the distribution URL and the object path to users when users request PDF files.

Change the S3 bucket permissions to allow public access on the source S3 bucket. Assign a company employee to provide a PDF file URL to users when users request the PDF files.

Deploy an EC2 instance that has an IAM instance profile to a public subnet. Use a signed URL from the EC2 instance to provide temporary access to the S3 bucket for website users.