You are building a large-scale confidential documentation web server on AWS such that all of its documentation will be stored on S3. One of the requirements is that it should not be publicly accessible from S3 directly. CloudFront would be needed to accomplish this. Which method would satisfy the outlined requirements? 

Answer options:

A.Create an Identity and Access Management (IAM) User for CloudFront and grant access to the objects in your S3 bucket to that IAM User.
B.Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAI.
C.Create individual policies for each bucket the documents are stored in, and grant access only to CloudFront in these policies.
D.Create an S3 bucket policy that lists the CloudFront distribution ID as the Principal and the target bucket as the Amazon Resource Name (ARN).

Correct Answer – B
If you want to use CloudFront signed URLs or signed cookies to provide access to objects in your Amazon S3 bucket, you probably want to prevent users from accessing your Amazon S3 objects using Amazon S3 URLs. If users access your objects directly in Amazon S3, they bypass the controls provided by CloudFront signed URLs or signed cookies. For example, control over the date and time that a user can no longer access your content and control over which IP addresses can be used to access the content. Besides, if users access objects both through CloudFront and directly using Amazon S3 URLs, CloudFront access logs are less useful because they`re incomplete.
To ensure that your users access your files using only CloudFront URLs, regardless of whether the URLs are signed, do the following:
Create an origin access identity, which is a special CloudFront user, and associate the origin access identity with your distribution. You associate the origin access identity with origins so that you can secure all or just some of your Amazon S3 content. You can also create an origin access identity and add it to your distribution when you create the distribution. For more information, see Creating a CloudFront OAI and Adding it to Your Distribution.
Change the permissions either on your Amazon S3 bucket or on the files in your bucket so that only the origin access identity has read permission (or read and download permission). When your users access your Amazon S3 files through CloudFront, the CloudFront origin access identity gets the files on behalf of your users. If your users request files directly by using Amazon S3 URLs, they`re denied access. The origin access identity has permission to access files in your Amazon S3 bucket, but users don`t. For more information, see Granting the OAI Permission to Read Files in Your Amazon S3 Bucket.
For more information on Origin Access Identity, please visit the link below.
http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html