Exam AWS Certified Solutions Architect - Associate SAA-C02 topic 1 question 219 discussion

Answer D. Use an OAI to lockdown CloudFront to S3 origin & enable WAF on CF distribution

Passed the exam on 19th June 2021. This question appeared in my exam. Marking it for future help

Option D mentions using an origin access identity (OAI) to restrict access to the S3 bucket, which is a good practice for securing S3 buckets accessed via CloudFront. However, it does not involve AWS WAF inspection of traffic before accessing the origin.

Option D is WRONG ! ! ! It suggests configuring Amazon CloudFront and Amazon S3 to use an origin access identity (OAI) to restrict access to the S3 bucket and enabling AWS WAF on the distribution. While using an OAI with CloudFront is a common practice to restrict direct access to S3 content, it doesn't ensure that all website traffic is inspected by AWS WAF as required by the security policy. Enabling AWS WAF on the CloudFront distribution directly allows for the inspection of incoming requests before they reach the S3 origin. This ensures that all traffic, regardless of its source, is subject to the security policies defined in AWS WAF. Therefore, option B is the more appropriate choice to comply with the security policy.

B. Configure Amazon CloudFront to forward all incoming requests to AWS WAF before requesting content from the S3 origin. By configuring Amazon CloudFront to forward all incoming requests to AWS WAF before fetching content from the S3 origin, you ensure that all website traffic is inspected by AWS WAF as per the security policy requirement. This setup allows AWS WAF to inspect and filter requests based on predefined rulesets before they reach the S3 origin, providing an additional layer of security for the static website hosted on S3.

Option D is close to the correct approach, but it misses the fact that you need to inspect traffic with AWS WAF before requesting content from the S3 origin. Enabling AWS WAF after restricting access with an Origin Access Identity (OAI) wouldn't fulfill the requirement of inspecting all incoming website traffic.

The correct answer is B. By configuring Amazon CloudFront to forward all incoming requests to AWS WAF before requesting content from the S3 origin, the solution ensures that all traffic to the static website is inspected by AWS WAF, as required by the company's security policy. Option A is not recommended because bucket policies can be complicated to manage and difficult to troubleshoot. Moreover, using an S3 bucket policy to restrict access based on the AWS WAF ARN doesn't ensure that all traffic is inspected by AWS WAF. Option C is not recommended because security groups are not used to restrict access to S3 buckets from Amazon CloudFront, and even if it were used, it doesn't ensure that all traffic is inspected by AWS WAF. Option D is not recommended because using an OAI doesn't provide a way to enforce AWS WAF inspection of traffic to the static website.

For sure answer is D

OAI can't be used with static websites.

Passed the exam on 26th June, this question was on my test.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-awswaf.html Answer is D

Ans=D. Configure Amazon CloudFront and Amazon S3 to use an origin access identity (OAI) to restrict access to the S3 bucket. Enable AWS WAF on the distribution.

Changing to D as realized that OAI ensures traffic goes first to Cloudfront and not directly to S3 via resigned URL. Taking 'attach waf to distribution' as includes web traffic monitoring in this case.

Should be B as question is requesting for http and https to be monitored. OAI is for restricting access to s3 bucket but not for monitoring website traffic.

D. Use OAI to restrict direct access to S3 by exposing the content only at the CloudFront layer. Use WAF in front of CloudFront to intercept requests beforehand

D correct

Solid D