Your team hosts a private web app on an S3 bucket and serves it through CloudFront using a modern Origin Access Control (OAC). After deployment, users receive HTTP 403 from CloudFront with the S3 origin error "AccessDenied".
Which S3 bucket policy change best aligns with CloudFront OAC so the distribution can fetch objects privately?
Answer choices
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
Allow the CloudFront service principal cloudfront.amazonaws.com to perform s3:GetObject, and scope access with a condition on AWS:SourceArn matching your CloudFront distribution ARN.
With CloudFront OAC, the request to S3 is authorized using the CloudFront service principal. Granting s3:GetObject to cloudfront.amazonaws.com and constraining it with AWS:SourceArn to the specific distribution is the standard secure pattern for private S3 origins.
Allow only the S3 bucket owner account to perform s3:GetObject without any condition, so CloudFront can inherit access automatically.
CloudFront does not “inherit” the bucket owner’s permissions. S3 must authorize the actual caller (the CloudFront service principal for OAC). A policy that only references the bucket owner principal (without allowing cloudfront.amazonaws.com) will not authorize CloudFront OAC requests.
Add a policy statement that denies s3:GetObject when the request does not include the header CloudFront-Viewer-Country.
The presence of that header is not what authorizes CloudFront OAC to access S3 objects. AccessDenied indicates the bucket policy is missing (or does not match) the required allow for the CloudFront principal and expected conditions (such as AWS:SourceArn).
Grant s3:GetObject permission to an Origin Access Identity (OAI) canonical user ID even though you are using Origin Access Control (OAC).
OAI and OAC use different authorization mechanisms. When using OAC, S3 expects authorization from the CloudFront service principal (with appropriate conditions). An OAI canonical user ID condition will not match OAC requests and will not fix the AccessDenied error.
Common exam trap
Logging in proves the user can authenticate. It does not automatically mean the user is allowed to enter privileged or configuration mode. Watch for AAA authorization, privilege level and command authorization details.
Technical deep dive
This kind of question is testing the difference between identity and permission. A user may successfully log in to a router because authentication is working, but still fail to enter configuration mode because authorization is missing, misconfigured or mapped to a lower privilege level.
Related practice questions
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Practise SAA-C03 questions linked to SAA-C03 VPC.
Practise SAA-C03 questions linked to SAA-C03 S3 lifecycle policy questions.
Practise SAA-C03 questions linked to SAA-C03 RDS Multi-AZ questions.
Practise SAA-C03 questions linked to SAA-C03 IAM policy.
Practise SAA-C03 questions linked to SAA-C03 Route 53 failover questions.
Practise SAA-C03 questions linked to SAA-C03 CloudFront.
Practise SAA-C03 questions linked to SAA-C03 NAT gateway questions.
Practise SAA-C03 questions linked to SAA-C03 VPC endpoint questions.
Practise SAA-C03 questions linked to SAA-C03 Auto Scaling.
Practise SAA-C03 questions linked to SAA-C03 disaster recovery questions.
Practise SAA-C03 questions linked to SAA-C03 high availability questions.
Practise SAA-C03 questions linked to SAA-C03 cost optimization questions.
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
Question 2
Question 3
Question 4
Question 5
Question 6
FAQ
Authentication checks who the user is.
The correct answer is: Allow the CloudFront service principal cloudfront.amazonaws.com to perform s3:GetObject, and scope access with a condition on AWS:SourceArn matching your CloudFront distribution ARN. — For CloudFront OAC, the secure S3 bucket policy pattern is to allow the CloudFront service principal (cloudfront.amazonaws.com) to perform s3:GetObject and then restrict usage to your specific distribution (commonly with a condition such as AWS:SourceArn equal to the distribution ARN). If CloudFront receives an S3 AccessDenied error, the bucket policy typically lacks the required allow for the correct principal/condition match. Option A directly addresses that by authorizing CloudFront OAC for your distribution. Why others are wrong: B is wrong because it does not grant access to the CloudFront principal that OAC uses. C is wrong because it introduces an irrelevant deny condition rather than providing the required allow for the CloudFront principal and matching conditions. D is wrong because it uses the OAI authorization model, which does not apply to OAC requests.
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Sign in to join the discussion.