Q78 — AWS SOA-C02 Ch.1

Question 78 of 100 | ← Chapter 1

A SysOps administrator needs to configure an Amazon S3 bucket to host a web application. The SysOps administrator has created the S3 bucket and has copied the static files for the web application to the S3 bucket. The company has a policy that all S3 buckets must not be public. What should the SysOps administrator do to meet these requirements?

Correct Answer: A. Create an Amazon CloudFront distribution. Configure the S3 bucket as an origin with an origin access identity (OAI). Give the OAI the s3:GetObject permission in the S3 bucket policy.

Explanation

该题考察通过CloudFront Origin Access Identity (OAI)安全访问私有S3桶的能力。AWS官方架构最佳实践指出,OAI允许CloudFront代表用户访问受限制的S3内容,无需公开存储桶。选项B启用S3静态网站会强制公开桶,违反题干要求;选项C/D涉及其他服务但未解决权限问题。选项A通过OAI生成虚拟身份,配合仅允许该身份读取对象策略,在保持S3私有状态下实现内容分发,出自AWS Security Best Practices for S3。