What should the SysOps administrator do to meet this requirement?

SOA-C02 V5 0 Comments

A company has an Amazon CloudFront distribution that uses an Amazon S3 bucket as its origin. During a review of the access logs, the company determines that some requests are going directly to the S3 bucket by using the website hosting endpoint. A SysOps administrator must secure the S3 bucket to allow requests only from CloudFront.

What should the SysOps administrator do to meet this requirement?
A . Create an origin access identity (OAI) in CloudFront. Associate the OAI with the distribution. Remove access to and from other principals in the S3 bucket policy. Update the S3 bucket policy to allow access only from the OAI.
B . Create an origin access identity (OAI) in CloudFront. Associate the OAI with the distribution. Update the S3 bucket policy to allow access only from the OAI. Create a new origin, and specify the S3 bucket as the new origin. Update the distribution behavior to use the new origin. Remove the existing origin.
C . Create an origin access identity (OAI) in CloudFront. Associate the OAI with the distribution. Update the S3 bucket policy to allow access only from the OAI. Disable website hosting. Create a new origin, and specify the S3 bucket as the new origin. Update the distribution behavior to use the new origin. Remove the existing origin.
D . Update the S3 bucket policy to allow access only from the CloudFront distribution. Remove access to and from other principals in the S3 bucket policy. Disable website hosting. Create a new origin, and specify the S3 bucket as the new origin. Update the distribution behavior to use the new origin. Remove the existing origin.

Answer: A

Explanation:

To secure the S3 bucket and allow access only from CloudFront, the following steps should be taken:

Create an OAI in CloudFront:

In the CloudFront console, create an origin access identity (OAI) and associate it with your CloudFront distribution.

Reference: Restricting Access to S3 Buckets

Update S3 Bucket Policy:

Modify the S3 bucket policy to allow access only from the OAI. This involves adding a policy statement that grants the OAI permission to get objects from the bucket and removing any other public access permissions.

Example Policy:

json

Copy code

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Principal": {

"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E3EXAMPLE"

},

"Action": "s3:GetObject",

"Resource": "arn:aws:s3:::example-bucket/*"

}

]

}

Reference: Bucket Policy Examples

Test Configuration:

Ensure that the S3 bucket is not publicly accessible and that requests to the bucket through the CloudFront distribution are successful.

Reference: Testing CloudFront OAI

Latest SOA-C02 Dumps Valid Version with 54 Q&As

Latest And Valid Q&A | Instant Download | Once Fail, Full Refund

Instant Download SOA-C02 PDF     SOA-C02 Questions Online Training
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments