This section covers the following objective of Domain 5 (Networking and Content Delivery) from the official AWS Certified SysOps Administrator – Associate (SOA-C02) exam guide:
5.2 Configure domains, DNS services, and content delivery
If you can correctly answer these questions before going through this section, save time by skimming the Exam Alerts in this section and then completing the Cram Quiz at the end of the section.
1. What is the primary purpose of a CloudFront Origin Access Identity?
2. What security configuration must be performed on the S3 bucket to make the OAI effective?
1. Answer: An Origin Access Identity (OAI) is used to restrict access to an S3 bucket to a CloudFront distribution and to block direct access to the bucket domain name.
2. Answer: A bucket policy must be configured that limits access to the objects to the OAI user.
An Origin Access Identity (OAI) is used to restrict access to an S3 bucket. If a bucket is serving as the origin for a CloudFront distribution, there may be no legitimate reason to access the contents of the bucket directly using the S3 bucket domain. In Figure 12.16, Restrict Bucket Access has been selected, and the option to create a new OAI has been selected.
FIGURE 12.16 Origin Access Identity
The result of this configuration is a special user (OAI) that will be created for CloudFront. You must now configure the S3 bucket permissions so that only the OAI can access the restricted content. This is done by configuring an S3 bucket policy and identifying the OAI as a principal. Figure 12.17 shows a bucket policy that allows access to the OAI.
FIGURE 12.17 OAI bucket policy
The OAI restricts bucket access so that only the CloudFront distribution has direct access to objects. Users can access these objects only through a web resource tha is part of a CloudFront distribution.
Answer this question. The answer follows the question. If you cannot answer the question correctly, consider reading this section again until you can.
1. You have an S3 bucket that is the origin for a CloudFront distribution. Which actions must you take to ensure that users access objects in the bucket by using only CloudFront URLs? (Choose two).
A. Create an OAI that is associated with the CloudFront distribution.
B. Configure a IAM policy that identifies the OAI as a resource.
C. Create an OAI that is associated with the bucket.
D. Configure a bucket policy that identifies the OAI as a resource.
E. Configure a bucket policy that identifies the OAI as the principal and the bucket as the resource.
1. Answer: A and E are correct. The OAI is a user that is associated with a CloudFront distribution. The bucket policy identifies this user as the principal and grants it access to a resource (the S3 bucket).
If you want more practice on this chapter’s exam objectives before you move on, remember that you can access all of the Cram Quiz questions on the Pearson Test Prep software online. You can also create a custom exam by objective with the Online Practice Test. Note any objective you struggle with and go to that objective’s material in this chapter.
Acedexam Training Policies
Learning resources
Other resources
Our Training Providers
