SAA-C03 Question #523: Real Exam Question with Answer & Explanation

Question

A solutions architect must design a solution that uses Amazon CloudFront with an Amazon S3 origin to serve a static website. The solution must use AWS WAF to inspect all website traffic. Which solution will meet these requirements?

Options

• AConfigure an S3 bucket policy to accept only requests that come from the AWS WAF Amazon
• BConfigure CloudFront to forward all incoming requests to AWS WAF before CloudFront requests
• CConfigure a security group that allows only CloudFront IP addresses to access Amazon S3.
• DConfigure CloudFront and Amazon S3 to use an origin access control (OAC) to secure the origin

Explanation

The correct and secure approach is to use Amazon CloudFront with Origin Access Control (OAC) to protect the S3 origin and attach AWS WAF to the CloudFront distribution to inspect and filter traffic at the edge before reaching the origin. "AWS WAF is integrated with Amazon CloudFront, allowing inspection of HTTP(S) requests at the edge location before forwarding to your origin. To restrict direct access to the S3 bucket, use Origin Access Control (OAC)." Why Option D is correct: CloudFront is the only service that integrates with AWS WAF for full HTTP layer inspection. Origin Access Control (OAC) ensures that only CloudFront can access the S3 origin-replacing older Origin Access Identity (OAI) features. The S3 bucket policy is configured to trust requests only from CloudFront using OAC signed Why the other options are incorrect: Option A: WAF ARN is not a principal in S3 bucket policy. IAM does not support bucket policies based on WAF ARNs. Option B: Incorrect - CloudFront doesn't";forward requests to WAF"; rather, WAF is associated with CloudFront and inspects requests at the edge. Option C: S3 does not use security groups; they are for EC2/network interfaces. This shows a misunderstanding of how S3 works.

No community discussion yet for this question.