Design Solutions for Organizational Complexity III
Explore how to design advanced AWS solutions for complex organizational needs by addressing privacy, security, multi-account scaling, and disaster recovery. Learn to leverage services like CloudFront, Security Hub, GuardDuty, Aurora Global Database, and backup strategies to meet compliance, resilience, and operational goals within multi-region environments.
We'll cover the following...
Question 11
A global marketing site serves static content from Amazon S3 through Amazon CloudFront. Compliance requires that the S3 bucket remain private, only CloudFront may read objects, TLS must use a corporate domain, and AWS WAF rules must protect the edge endpoint. Which design meets these requirements?
A. Create a CloudFront distribution with Origin Access Control to sign requests to the S3 REST endpoint. Keep S3 Block Public Access enabled, add a bucket policy that allows cloudfront.amazonaws.com with AWS:SourceArn for the distribution, use an AWS Certificate Manager certificate in us-east-1 for the corporate domain, attach AWS WAF to the distribution, and update the KMS key policy if SSE-KMS is used.
B. Configure the S3 bucket as a static website endpoint, disable S3 Block Public Access, and use CloudFront signed URLs to prevent users from accessing the bucket directly.
C. Make the S3 bucket public read, use an S3 bucket policy to restrict access by source IP ranges, and attach AWS WAF to the S3 bucket.
D. Place the S3 bucket in private subnets, attach security groups to the bucket, and use network ACLs to allow only CloudFront edge locations. ...