Your company is planning to use an S3 bucket and a CloudFront distribution to distribute objects to users worldwide. They want to ensure that users can only access the objects via the CloudFront URLs. Which of the following implementation steps need to be carried out? Choose 2 answers from the options given below.

Answer options:

A.Create an IAM User with the desired Access Keys.
B.Create an origin access identity.
C.Change the permissions on the bucket for the IAM users to have read permission.
D.Change the permission on the bucket so that only the origin access identity has read permissions.

Answer – B and D
This is mentioned in the AWS Documentation.
To ensure that your users access your objects using only CloudFront URLs, regardless of whether the URLs are signed, perform the following tasks.
1. Create an origin access identity, which is a special CloudFront user, and associate the origin access identity with your distribution. (For web distributions, you associate the origin access identity with origins. So you can secure all or just some of your Amazon S3 content.)
2. Change the permissions either on your Amazon S3 bucket or on the objects in your bucket. So only the origin access identity has read permission (or read and download permission). 
Since the documentation gives the recommended steps, the other options are invalid.
For more information on serving private content via CloudFront, please visit the below URL
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html