A company is planning to use a Cloudfront Distribution. The origin will be an S3 bucket. They want to ensure that users cannot access the objects in the S3 bucket via the public URL of the bucket objects. How can you accomplish this?

Answer options:

A.Create a Cloudfront Origin Identity that has access via the bucket policy.
B.Place an IAM policy that ensures that users cannot access the objects.
C.Create a Cloudfront Origin Identity that has access via the IAM policy.
D.Create a separate IAM user that has access via the bucket policy.

Answer – A
Options B and C are invalid because you need to set a bucket policy and not an IAM policy for this sort of access.
Option D is invalid because you need to set a Cloudfront Origin Identity and not a separate IAM user.
The AWS Documentation mentions the following.
When you create or update a distribution, you can add an origin access identity and automatically update the bucket policy to give the origin access identity permission to access your bucket. Alternatively, you can choose to manually change the bucket policy or change ACLs, which control permissions on individual objects in your bucket.
Whichever method you use, you should still review the bucket policy for your bucket and review the permissions on your objects to ensure that:
· CloudFront can access objects in the bucket on behalf of users who are requesting your objects through CloudFront.
· Users can`t use Amazon S3 URLs to access your objects.
For more information on using Cloudfront Origin Access Identity, please visit the following URL:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html