Your company has an external web site. This website needs to access the objects in an S3 bucket. Which of the following would allow the website to access the objects most securely?

Answer options:

A.Grant public access for the bucket via the bucket policy.
B.Use the aws:Referer key in the condition clause for the bucket policy.
C.Use the aws:sites key in the condition clause for the bucket policy.
D.Grant a role that can be assumed by the web site.

Answer: B
Option A is incorrect because granting public access is not a secure way to provide specific access to the external website. Public access will allow anybody from the internet to access the S3 bucket objects.
Option B is CORRECT because to allow read access to these objects from your website, you can add a bucket policy that allows s3: GetObject operation with a condition, using the aws: referer key, that the get request must originate from specific webpages.
Option C is incorrect because aws: sites is not a valid condition key applied to a bucket policy.
Option D is incorrect because IAM roles are assigned to AWS services and not to the external websites.
{
"Version":"2012-10-17",
"Id":"http referer policy example",
"Statement":[
{
"Sid":"Allow get requests originating from www.example.com and example.com.",
"Effect":"Allow",
"Principal":"*",
"Action":["s3:GetObject","s3:GetObjectVersion"],
"Resource":"arn:aws:s3:::awsexamplebucket1/*",
"Condition":{
"StringLike":{"aws:Referer":["http://www.example.com/*","http://example.com/*"]}
}
}
]
}
For more information on example bucket policies, kindly refer to the following URL:
https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html