You use an Amazon S3 bucket as the origin for a CloudFront distribution. To restrict access to S3 content, you create an Origin Access Identity (XXXX1234567890) in CloudFront and associate it with the distribution. You need to modify the S3 bucket policy so that users cannot bypass CloudFront to access the S3 files. Which of the following options contains the correct S3 bucket policy statement?

Answer options:

A.{
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXX1234567890"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::aws-example-bucket/*"
}
B.{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/XXXX1234567890"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::aws-example-bucket"
}
C.{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXX1234567890"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::aws-example-bucket/*"
}
D.{
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXX1234567890"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::aws-example-bucket"
}
 

Correct Answer – C
The S3 bucket policy should allow the "s3:GetObject" action if the Principal comes from the CloudFront Origin Access Identity. Details can be found in https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html.
Option A is incorrect: Because the "Effect" should be "Allow" instead of "Deny."
Option B is incorrect: Both "Principal" and "Resource" are incorrect according to the above reference.
Option C is CORRECT: Because with this bucket policy, "s3:GetObject" action is only allowed for the CloudFront OAI.
Option D is incorrect: The bucket policy denies the action if the Principal is NOT the Origin Access Identity. However, it still does not allow the action if the Principal comes from the CloudFront OAI. An explicit Allow is required. Besides, the "Resource" field is incorrect.