Q30 — AWS SCS-C02 Ch.1
Question 30 of 100 | ← Chapter 1
A security engineer needs to set up an Amazon CloudFront distribution for an Amazon S3 bucket that hosts a static website. The security engineer must allow only specified IP addresses to access the website. The security engineer also must prevent users from accessing the website directly by using S3 URLs. Which solution will meet these requirements?
- A. Generate an S3 bucket policy. Specify cloudfront.amazonaws.com as the principal. Use the aws:SourceIp condition key to allow access only if the request comes from the specified IP addresses.  
- B. Create a CloudFront origin access control (OAC). Create the S3 bucket policy so that only the OAC has access. Create an AWS WAF web ACL, and add an IP set rule. Associate the web ACL with the CloudFront distribution.   ✓
- C. Implement security groups to allow only the specified IP addresses access and to restrict S3 bucket access by using the CloudFront distribution.  
- D. Create an S3 bucket access point to allow access from only the CloudFront distribution. Create an AWS WAF web ACL and add an IP set rule. Associate the web ACL with the CloudFront distribution.
Correct Answer: B. Create a CloudFront origin access control (OAC). Create the S3 bucket policy so that only the OAC has access. Create an AWS WAF web ACL, and add an IP set rule. Associate the web ACL with the CloudFront distribution.  
Explanation
该题涉及亚马逊CloudFront与S3的安全配置,重点为限制访问源IP并阻止直接S3 URL访问。根据AWS架构最佳实践,需结合Origin Access Control(OAC)和AWS WAF实现。选项B通过OAC确保S3仅允许CloudFront访问,再利用WAF的IP规则限制用户IP,符合两个核心条件。选项A的S3策略无法正确识别用户IP,因CloudFront边缘节点IP会被视为源。选项C错误使用安全组,不适用于S3。选项D的接入点方式可行但非标准做法,OAC为AWS推荐方法。参考AWS文档,CloudFront OAC与WAF协同使用是此类场景的标准解决方案。