Q78 — AWS SOA-C02 Ch.1
Question 78 of 100 | ← Chapter 1
A SysOps administrator needs to configure an Amazon S3 bucket to host a web application. The SysOps administrator has created the S3 bucket and has copied the static files for the web application to the S3 bucket. The company has a policy that all S3 buckets must not be public. What should the SysOps administrator do to meet these requirements?
- A. Create an Amazon CloudFront distribution. Configure the S3 bucket as an origin with an origin access identity (OAI). Give the OAI the s3:GetObject permission in the S3 bucket policy. ✓
- B. Configure static website hosting in the S3 bucket. Use Amazon Route 53 to create a DNS CNAME to point to the S3 website endpoint.
- C. Create an Application Load Balancer (ALB). Change the protocol to HTTPS in the ALB listener configuration. Forward the traffic to the S3 bucket.
- D. Create an accelerator in AWS Global Accelerator. Set up a listener configuration for port 443. Set the endpoint type to forward the traffic to the S3 bucket.
Correct Answer: A. Create an Amazon CloudFront distribution. Configure the S3 bucket as an origin with an origin access identity (OAI). Give the OAI the s3:GetObject permission in the S3 bucket policy.
Explanation
该题考察通过CloudFront Origin Access Identity (OAI)安全访问私有S3桶的能力。AWS官方架构最佳实践指出,OAI允许CloudFront代表用户访问受限制的S3内容,无需公开存储桶。选项B启用S3静态网站会强制公开桶,违反题干要求;选项C/D涉及其他服务但未解决权限问题。选项A通过OAI生成虚拟身份,配合仅允许该身份读取对象策略,在保持S3私有状态下实现内容分发,出自AWS Security Best Practices for S3。