A solutions architect must design a solution that uses Amazon CloudFront with an Amazon S3 origin to store a static website. The company’s security policy requires that all website traffic be inspected by AWS WAF.
How should the solutions architect comply with these requirements?
To ensure that all website traffic is inspected by AWS WAF, you need to configure AWS WAF on the CloudFront distribution. By configuring Amazon CloudFront and Amazon S3 to use an origin access identity (OAI), you can restrict direct access to the S3 bucket, ensuring that all requests go through CloudFront, which is associated with AWS WAF. This setup guarantees that all traffic is inspected by AWS WAF before accessing content from the S3 origin. This approach meets the company's security requirements effectively.
Answer D. Use an OAI to lockdown CloudFront to S3 origin & enable WAF on CF distribution
https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-access-to-amazon-s3/ confirms use of OAI (and option D).
By configuring CloudFront to forward all incoming requests to AWS WAF, the traffic will be inspected by AWS WAF before reaching the S3 origin, complying with the security policy requirement. This approach ensures that all website traffic is inspected by AWS WAF, providing an additional layer of security before accessing the content stored in the S3 origin. Option A is not the correct choice as configuring an S3 bucket policy to accept requests from the AWS WAF ARN only would bypass the inspection of traffic by AWS WAF. It does not ensure that all website traffic is inspected. Option C is not the optimal solution as it focuses on controlling access to S3 using a security group. Although it associates AWS WAF with CloudFront, it does not guarantee that all incoming requests are inspected by AWS WAF. Option D is not the recommended solution as configuring an OAI in CloudFront and restricting access to the S3 bucket does not ensure that all website traffic is inspected by AWS WAF. The OAI is used for restricting direct access to S3 content, but the traffic should still pass through AWS WAF for inspection.
Apparently you can only point to a custom host that is "not an Amazon Simple Storage Service (Amazon S3) bucket" (other than for static hosting). https://aws.amazon.com/blogs/security/how-to-enhance-amazon-cloudfront-origin-security-with-aws-waf-and-aws-secrets-manager/. Answer should be D
agreed. Must be D as per above security blog
Option B does use the WAF through Cloudfront, but it does not mention anything to prevent direct access to the objects without going through Cloudfront.
WAF is not a destination. WAF is attached to something to inspect traffic (ALB, CloudFront etc), so D is the correct answer.
If your origin is an Amazon S3 bucket configured as a website endpoint, you must set it up with CloudFront as a custom origin. That means you can't use OAC (or OAI).
The requirements indicate that S3 is used to "store" a static website, not that it must be configured as a static website (which does not make any sense if it's to be used with CF anyway). Furthermore, the requirements also indicate that all traffic must be inspected by WAF. If you do not setup OAI/OAC, you can potentially bypass CF and access S3 directly. So option B does not satisfy the second requirement.
OAI is required so that S3 bucket is not accessed directly.
There are two ways you can serve static websites on AWS S3 origin, either using website endpoints or REST API endpoints. Website endpoints does not support HTTPS. Note that the question does not mention which endpoint is used. https://docs.aws.amazon.com/AmazonS3/latest/userguide/WebsiteEndpoints.html#WebsiteRestEndpointDiff B is incorrect because we do not 'forward' requests to AWS WAF, we attach WAF on the Cloudfront distribution itself. Could be bad wording of the question. D is totally valid because it doesn't mention using website endpoints. D also uses OAI to restrict direct access to objects in AWS S3. Although OAI is still viable in this point of time, it is still a legacy method and it is more recommended to use OAC instead. https://repost.aws/knowledge-center/cloudfront-serve-static-website
Option B ensures that all incoming requests to the static website served through Amazon CloudFront are first forwarded to AWS WAF for inspection before the content is requested from the S3 origin. This ensures that all website traffic is inspected by AWS WAF as required by the company's security policy.
A: Doesn't make sense in context with CF. B: You configure WAF on CF for HTTP status handling so this may be right be is badly worded C: You might as well re-engineer S3 and CloudFront! D: The requirement for WAF usage is met with this. Doesn't have to be smart usage, just enabled.
Cloud Front allows configuration to enable AWS WAF and restrict direct access to S3 through OAI will meet the requirenments.
Using an OAI (Origin Access Identity) restricts access to the S3 bucket, ensuring that only CloudFront can access the content. Enabling AWS WAF on the CloudFront distribution allows you to inspect website traffic and filter out malicious requests before they reach your S3 origin.
I guess D
D is not possible since you cannot set OAC or OAI if S3 bucket is used as static website host
WAF is associated to a Cloudfront Distribution
some people use below link as supported point, but when you look into link, AWF is in front of CloudFront from traffic view. So, B is incorrect because 'there is no CloudFront forward requesting to ACL.' https://aws.amazon.com/blogs/security/how-to-enhance-amazon-cloudfront-origin-security-with-aws-waf-and-aws-secrets-manager/
A content delivery network is typically deployed before a web application firewall (WAF). Refer to the "Here’s how the solution works" section provided in your linked resource.
B. Configure Amazon CloudFront to forward all incoming requests to AWS WAF before requesting content from the S3 origin. This option ensures that all website traffic passes through AWS WAF for inspection before reaching the S3 origin, complying with the security policy requirements. I appreciate your thorough analysis.
It's storage, not web endpoint.so It's http://[bucket-name].s3.[region].amazonaws.com ,and oai can be used
This resolution doesn't apply to S3 origins that are configured as a website endpoint. For example, AWSDOC-EXAMPLE-BUCKET.s3-website-us-east-1.amazonaws.com.