Q22 — AWS DVA-C02 Ch.3

Question 22 of 100 | ← Chapter 3

A developer is testing a new file storage application that uses an Amazon CloudFront distribution to serve content from an Amazon S3 bucket. The distribution uses an Origin Access Identity (OAI) to access the S3 bucket. The S3 bucket policy explicitly denies access to all users except the OAI. The application presents users with a login page requiring authentication, after which signed cookies grant access to their personal storage directories. The developer configured the distribution with its default cache behavior and restricted viewer access, pointing the origin to the S3 bucket. However, when attempting to navigate to the login page, the developer receives a 403 Forbidden error. The developer needs a solution that allows unauthenticated access to the login page while preserving security for private content. Which solution satisfies these requirements?

Correct Answer: A. Add a second cache behavior to the distribution with the same origin as the default cache behavior. Set the path pattern of the second cache behavior to the login page path and allow unrestricted viewer access. Keep the default cache behavior settings unchanged.

Explanation

The 403 Forbidden error occurs because the CloudFront distribution uses an OAI, and the S3 bucket policy denies access to all principals except the OAI — including requests for the login page itself, which must be publicly accessible before authentication. The solution must allow unauthenticated access to the login page while keeping private content protected. Option A correctly addresses this by adding a dedicated cache behavior for the login page path with unrestricted viewer access, while leaving the default cache behavior (and its OAI-restricted access) intact for private content. Option B incorrectly modifies the default cache behavior, potentially exposing private content. Option C misuses failover origins and fails to resolve the core issue of public access to the login page. Option D attempts to bypass CloudFront restrictions via S3 direct access and redirection, violating the architecture and introducing security risks. Therefore, option A is the only valid solution.