Q23 — AWS SAA-C03 Ch.1
Question 23 of 65 | ← Chapter 1
Q23. A solution architect must design a solution that uses Amazon CloudFront with an Amazon S3 to store a static website.The company security policy requires that all websites traffic be inspected by AWS WAF.How should the solution architect company with these requirements?
- A. Configure an S3 bucket policy to accept requests coming from the AWS WAF Amazon Resource Name (ARN) only
- B. Configure Amazon CloudFront to forward all incoming requests to AWS WAF before requesting content from the S3 origin,
- C. Configure a security group that allows Amazon CloudFront IP addresses to access Amazon S3 only Associate AWS WAF to CloudFront.
- D. Configure Amazon CloudFront and Amazon S3 to use an origin access identity (OAI) to restrict access to the S3 bucket. Enable AWS WAF on the distribution. ✓
Correct Answer: D. Configure Amazon CloudFront and Amazon S3 to use an origin access identity (OAI) to restrict access to the S3 bucket. Enable AWS WAF on the distribution.
Explanation
Use OAI to restrict direct access to S3 by exposing the content only at the CloudFront layer. Use WAF in front of CloudFront to intercept requests beforehand