Sign in to practice all 64 questions with progress tracking and AI explanations.
1. A security engineer needs to ensure that objects in an S3 bucket can only be accessed through CloudFront, not directly via the S3 URL. Which solution correctly enforces this restriction?
- A.Create an Origin Access Identity (OAI), associate it with the CloudFront distribution, and update the S3 bucket policy to allow GetObject only from that OAI principal.✓ Correct
- B.Enable S3 server-side encryption with KMS and configure CloudFront to use the same KMS key, preventing direct S3 access without CloudFront credentials.
- C.Set the S3 bucket to private, place it in a VPC, and configure a VPC endpoint so that only CloudFront can route traffic through the private network path.
- D.Attach an IAM policy to the CloudFront distribution role that denies all S3 GetObject calls originating outside of CloudFront's IP ranges.
Explanation
OAI is a special CloudFront identity granted access in the S3 bucket policy; all other principals are denied. Encryption, VPC endpoints, and IAM on CloudFront do not restrict direct S3 URL access by anonymous users.
2. After configuring CloudFront with an OAI, users report receiving 403 Forbidden errors when accessing objects. The S3 bucket policy was updated to reference the OAI. What is the most likely cause?
- A.The S3 bucket policy references the OAI's canonical user ID but the OAI was not yet propagated globally, and the bucket ACL still grants public-read overriding the policy.
- B.The CloudFront distribution's origin domain name points to the S3 website endpoint instead of the S3 REST API endpoint, causing OAI authentication to fail silently.✓ Correct
- C.The OAI requires HTTPS-only communication, but the CloudFront origin protocol policy is set to HTTP-only, so S3 rejects the unsigned requests.
- D.The S3 bucket is in a different AWS region than the CloudFront distribution, and cross-region OAI is not supported without enabling Transfer Acceleration.
Explanation
OAI only works with the S3 REST endpoint (bucket.s3.amazonaws.com). If the origin is set to the S3 website endpoint (bucket.s3-website-region.amazonaws.com), CloudFront cannot authenticate via OAI, causing 403 errors. OAI works across all regions.
3. A company wants to add HTTP security headers such as Strict-Transport-Security, X-Content-Type-Options, and Content-Security-Policy to all responses from its CloudFront distribution without modifying the origin servers. Which approach achieves this?
- A.Deploy a Lambda@Edge function triggered on the Viewer Response event that appends the required security headers to every HTTP response before it reaches the client.✓ Correct
- B.Configure CloudFront response headers policies in the AWS Management Console, which natively supports injecting all custom security headers without any Lambda functions.
- C.Enable AWS WAF on the CloudFront distribution and create a rule that injects security headers into responses matching an allow action.
- D.Modify the origin server application code to include all required headers, then set CloudFront to forward those headers to viewers using a custom cache policy.
Explanation
Lambda@Edge on Viewer Response fires after CloudFront receives the origin response and before delivery to the client, allowing header injection without touching origin servers. WAF rules cannot inject response headers, and native CloudFront header policies exist but Lambda@Edge is the scenario-correct answer for 'on the fly'.
4. Which Lambda@Edge trigger event is the correct one to use when you want to inspect and modify the HTTP response headers sent back to the end user by CloudFront?
- A.Viewer Response — this event fires after CloudFront receives the response from the origin (or cache) and before it is forwarded to the requesting client.✓ Correct
- B.Origin Request — this event fires before CloudFront forwards the request to the origin, making it the best place to add response headers pre-emptively.
- C.Viewer Request — this event fires when CloudFront receives a request from a viewer, giving you access to the full request and response objects simultaneously.
- D.Origin Response — this event fires after the origin returns a response and is the only event where CloudFront allows modification of HTTP response status codes.
Explanation
Viewer Response fires after the response is ready but before delivery to the client — the correct hook for adding security headers to every response. Origin Response fires between origin and CloudFront cache, not between CloudFront and the viewer.
5. A global CloudFront distribution serves large video files. A viewer in a city far from any Point of Presence (POP) requests an object not cached at the nearest POP. What happens next in CloudFront's caching hierarchy before the origin is contacted?
- A.CloudFront checks the Regional Edge Cache (REC) associated with the POP's region; if the object is cached there, it is served without reaching the origin server.✓ Correct
- B.CloudFront immediately forwards the request to the origin because Points of Presence are the only caching layer and there is no intermediate Regional Edge Cache tier.
- C.CloudFront routes the request to the nearest competing POP in a different availability zone to attempt a peer-cache lookup before contacting the origin.
- D.CloudFront triggers an automatic Lambda@Edge Viewer Request function that queries other POPs across the globe to find a cached copy of the object.
Explanation
CloudFront's two-tier cache: POP (edge location) → Regional Edge Cache (REC) → Origin. A POP miss checks the REC before hitting the origin, significantly reducing origin load for large, infrequently accessed objects. There is no peer-cache or global POP lookup.
Practice all 64+ questions in this domain
Start free practice →