A large IT company is using Amazon CloudFront for its web application. Static Content for this application is saved in the Amazon S3 bucket. Amazon CloudFront is configured for this application to provide faster access to these files for global users.
IT Team is concerned about some critical files that need to be accessed only by users from certain white-list countries that you have defined in Amazon CloudFront geo-restriction. There is a requirement that no users should access these files directly using the Amazon S3 URL. Which of the following is the best way to achieve the given requirement?

Answer options:

A.Create an OAI user to associate with distribution & modify permission on Amazon S3 bucket using bucket policy.
B.Create Amazon CloudFront Signed URLs to limit access to these files & modify permission on Amazon S3 bucket using bucket policy.
C.Create an OAI user to associate with distribution & modify permission on Amazon S3 bucket using object ACL’s.
D.Create Amazon CloudFront Signed URLs to limit access to these files & modify permission on Amazon S3 bucket using object ACL’s.

Correct Answer – C
Amazon CloudFront Origin Access Identity is a special user that can control access to content in the Amazon S3 bucket. Using Object ACLs provides a granular control on each file in the Amazon S3 bucket. Associating Amazon CloudFront OAI to distribution & modifying permission on the S3 bucket allows access only to OAI. 
When you create or update a distribution, you can add an origin access identity (OAI) and automatically update the Amazon S3 bucket policy to give the OAI permission to access your bucket. Alternatively, you can choose to manually create or update the bucket policy, or use object ACLs that control access to individual files in the bucket.
Using CloudFront geo-restriction:
When a user requests your content, CloudFront typically serves the requested content regardless of where the user is located. If you need to prevent users in specific countries from accessing your content, you can use the CloudFront geo restriction feature to do one of the following:
Allow your users to access your content only if they`re in one of the countries on a whitelist of approved countries.
Prevent your users from accessing your content if they`re in one of the countries on a blacklist of banned countries.
Using a third-party geolocation service:
When you`re using a third-party geolocation service, we recommend that you use CloudFront signed URLs, which let you specify an expiration date and time after which the URL is no longer valid. In addition, you use an Amazon S3 bucket as your origin because you can then use a CloudFront origin access identity to prevent users from accessing your content directly from the origin.
Option A is incorrect as modifying permission in the Amazon S3 bucket using bucket policy will not provide granular control on access to each file in a bucket.
Options B and D are incorrect as Amazon CloudFront Signed URLs will provide access only to authorized users for a specified time period. Signed URLs are mainly used with CloudFront third-party geolocation services.
For more information on using restricting access using Amazon CloudFront OAI, refer to the following URL:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/georestrictions.html#georestrictions-cloudfront