The correct and secure approach is to use Amazon CloudFront with Origin Access Control (OAC) to protect the S3 origin and attach AWS WAF to the CloudFront distribution to inspect and filter traffic at the edge before reaching the origin.
From AWS Documentation:
“AWS WAF is integrated with Amazon CloudFront, allowing inspection of HTTP(S) requests at the edge location before forwarding to your origin. To restrict direct access to the S3 bucket, use Origin Access Control (OAC).”
(Source: Amazon CloudFront Developer Guide – Serving private content)
Why Option D is correct:
CloudFront is the only service that integrates with AWS WAF for full HTTP layer inspection.
Origin Access Control (OAC) ensures that only CloudFront can access the S3 origin—replacing older Origin Access Identity (OAI) features.
The S3 bucket policy is configured to trust requests only from CloudFront using OAC signed requests.
Why the other options are incorrect:
Option A: WAF ARN is not a principal in S3 bucket policy. IAM does not support bucket policies based on WAF ARNs.
Option B: Incorrect – CloudFront doesn't "forward requests to WAF"; rather, WAF is associated with CloudFront and inspects requests at the edge.
Option C: S3 does not use security groups; they are for EC2/network interfaces. This shows a misunderstanding of how S3 works.
[References:, Amazon CloudFront Developer Guide – "Serving Private Content with OAC", AWS WAF Developer Guide – "Protecting CloudFront with AWS WAF", AWS Well-Architected Framework – Security Pillar, , , ]
Submit