Question 1:

You have a CloudFront Distribution that serves your website hosted on a fleet of EC2 instances behind an Application Load Balancer. All your clients are from the United States, but you found that some malicious requests are coming from other countries. What should you do to only allow users from the US and block other countries?

• [✔] Use CloudFront Geo Restriction
• [ ] Use Origin Access Control
• [ ] Set up a security group and attach it to your CloudFront Distribution
• [ ] Use a Route 53 Latency record and attach it to CloudFront

Question 2:

You have a static website hosted on an S3 bucket. You have created a CloudFront Distribution that points to your S3 bucket to better serve your requests and improve performance. After a while, you noticed that users can still access your website directly from the S3 bucket. You want to enforce users to access the website only through CloudFront. How would you achieve that?

• [ ] Send an email to your clients and tell them to not use the S3 endpoint
• [✔] Configure your CloudFront Distribution and create an Origin Access Control (OAC), then update your S3 Bucket Policy to only accept requests from your CloudFront Distribution.
• [ ] Use S3 Access Points to redirect clients to CloudFront

Question 3:

What does this S3 bucket policy do?

{
  "Version": "2012-10-17",
  "Id": "Mystery policy",
  "Statement": [
    {
      "Sid": "What could it be?",
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudfront.amazonaws.com"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::examplebucket/*",
      "Condition": {
        "StringEquals": {
          "AWS:SourceArn": "arn:aws:cloudfront::123456789012:distribution/EDFDVBD6EXAMPLE"
        }
      }
    }
  ]
}

• [ ] Forces GetObject request to be encrypted if coming from CloudFront
• [✔] Only allows the S3 bucket content to be accessed from your CloudFront Distribution
• [ ] Only allows GetObject type of request on the S3 bucket from anybody