Design Solutions for Organizational Complexity III
Explore how to design AWS architectures that meet organizational complexity and compliance requirements. Learn to secure S3 content with CloudFront, automate security findings aggregation across multiple accounts, and architect multi-Region disaster recovery with low recovery objectives. This lesson equips you to address real-world AWS challenges involving security, scalability, and fault tolerance in advanced environments.
We'll cover the following...
Question 11
A global marketing site serves static content from Amazon S3 through Amazon CloudFront. Compliance requires that the S3 bucket remain private, only CloudFront may read objects, TLS must use a corporate domain, and AWS WAF rules must protect the edge endpoint. Which design meets these requirements?
A. Create a CloudFront distribution with Origin Access Control to sign requests to the S3 REST endpoint. Keep S3 Block Public Access enabled, add a bucket policy that allows cloudfront.amazonaws.com with AWS:SourceArn for the distribution, use an AWS Certificate Manager certificate in us-east-1 for the corporate domain, attach AWS WAF to the distribution, and update the KMS key policy if SSE-KMS is used.
B. Configure the S3 bucket as a static website endpoint, disable S3 Block Public Access, and use CloudFront signed URLs to prevent users from accessing the bucket directly.
C. Make the S3 bucket public read, use an S3 bucket policy to restrict access by source IP ranges, and attach AWS WAF to the S3 bucket.
D. Place the S3 bucket in private subnets, attach security groups to the bucket, and use network ACLs to allow only CloudFront edge locations. ...