Question 1,038 of 1,040
Design Secure ArchitecturesmediumMultiple ChoiceObjective-mapped

Quick Answer

The correct answer is to allow the CloudFront service principal `cloudfront.amazonaws.com` to perform `s3:GetObject`, scoped with a condition on `AWS:SourceArn` matching your distribution ARN. This works because CloudFront Origin Access Control (OAC) replaces the older Origin Access Identity (OAI) and requires an explicit bucket policy that trusts the CloudFront service principal, not a specific user or role. The `AWS:SourceArn` condition is critical—it ensures only your specific distribution can retrieve objects, preventing any other CloudFront distribution or AWS account from exploiting the permission. On the SAA-C03 exam, this scenario tests your understanding of the modern OAC workflow versus the legacy OAI, and a common trap is forgetting the condition key, which would leave the bucket open to any CloudFront distribution. Remember: OAC needs a service principal, not a canonical user ID, and always pair it with `AWS:SourceArn` to lock it down—think "ARN it to guard it."

SAA-C03 Design Secure Architectures Practice Question

This SAA-C03 practice question tests your understanding of design secure architectures. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Your team hosts a private web app on an S3 bucket and serves it through CloudFront using a modern Origin Access Control (OAC). After deployment, users receive HTTP 403 from CloudFront with the S3 origin error "AccessDenied".

Which S3 bucket policy change best aligns with CloudFront OAC so the distribution can fetch objects privately?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "best"

    Why it matters: Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

Question 1mediummultiple choice
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Allow the CloudFront service principal cloudfront.amazonaws.com to perform s3:GetObject, and scope access with a condition on AWS:SourceArn matching your CloudFront distribution ARN.

Option A is correct because CloudFront Origin Access Control (OAC) requires an explicit S3 bucket policy that allows the CloudFront service principal (`cloudfront.amazonaws.com`) to perform `s3:GetObject`, and the recommended best practice is to scope the permission using a condition on `AWS:SourceArn` matching the specific CloudFront distribution ARN. This ensures that only requests originating from that distribution can access the bucket objects, preventing unauthorized access from other sources.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Allow the CloudFront service principal cloudfront.amazonaws.com to perform s3:GetObject, and scope access with a condition on AWS:SourceArn matching your CloudFront distribution ARN.

    Why this is correct

    With CloudFront OAC, the request to S3 is authorized using the CloudFront service principal. Granting s3:GetObject to cloudfront.amazonaws.com and constraining it with AWS:SourceArn to the specific distribution is the standard secure pattern for private S3 origins.

    Clue confirmation

    The clue word "best" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Allow only the S3 bucket owner account to perform s3:GetObject without any condition, so CloudFront can inherit access automatically.

    Why it's wrong here

    CloudFront does not “inherit” the bucket owner’s permissions. S3 must authorize the actual caller (the CloudFront service principal for OAC). A policy that only references the bucket owner principal (without allowing cloudfront.amazonaws.com) will not authorize CloudFront OAC requests.

  • Add a policy statement that denies s3:GetObject when the request does not include the header CloudFront-Viewer-Country.

    Why it's wrong here

    The presence of that header is not what authorizes CloudFront OAC to access S3 objects. AccessDenied indicates the bucket policy is missing (or does not match) the required allow for the CloudFront principal and expected conditions (such as AWS:SourceArn).

  • Grant s3:GetObject permission to an Origin Access Identity (OAI) canonical user ID even though you are using Origin Access Control (OAC).

    Why it's wrong here

    OAI and OAC use different authorization mechanisms. When using OAC, S3 expects authorization from the CloudFront service principal (with appropriate conditions). An OAI canonical user ID condition will not match OAC requests and will not fix the AccessDenied error.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often confuse Origin Access Control (OAC) with the older Origin Access Identity (OAI) and incorrectly select an OAI-based policy (Option D), or they assume that bucket owner permissions automatically extend to CloudFront (Option B), failing to recognize that OAC requires an explicit service principal-based policy with a source ARN condition.

Detailed technical explanation

How to think about this question

CloudFront OAC uses a service principal (`cloudfront.amazonaws.com`) and supports condition keys like `AWS:SourceArn` and `AWS:SourceAccount` for fine-grained access control, whereas the older OAI used a canonical user ID. Under the hood, CloudFront signs requests to S3 using its own credentials, and the bucket policy must explicitly allow the `cloudfront.amazonaws.com` principal; without the `AWS:SourceArn` condition, any CloudFront distribution could potentially access the bucket, which is a security risk. In real-world scenarios, this condition is critical for multi-account setups where multiple distributions might exist in the same AWS account or across accounts.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related SAA-C03 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free SAA-C03 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this SAA-C03 question test?

Design Secure Architectures — This question tests Design Secure Architectures — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Allow the CloudFront service principal cloudfront.amazonaws.com to perform s3:GetObject, and scope access with a condition on AWS:SourceArn matching your CloudFront distribution ARN. — Option A is correct because CloudFront Origin Access Control (OAC) requires an explicit S3 bucket policy that allows the CloudFront service principal (`cloudfront.amazonaws.com`) to perform `s3:GetObject`, and the recommended best practice is to scope the permission using a condition on `AWS:SourceArn` matching the specific CloudFront distribution ARN. This ensures that only requests originating from that distribution can access the bucket objects, preventing unauthorized access from other sources.

What should I do if I get this SAA-C03 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "best". Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

1 more ways this is tested on SAA-C03

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A company stores private customer documents in an S3 bucket. They want only CloudFront to be able to read objects from the bucket (no direct S3 URL access), even if the bucket name and object key are known. Which configuration best meets this requirement?

medium
  • A.Attach an AWS WAF Web ACL to CloudFront and allow public reads on the S3 bucket so WAF can block direct object access.
  • B.Use CloudFront Origin Access Control (OAC) and update the bucket policy to allow s3:GetObject only when the principal is cloudfront.amazonaws.com and aws:SourceArn equals the CloudFront distribution ARN.
  • C.Create IAM users with s3:GetObject permissions and share the IAM credentials with customers so they can fetch objects directly from S3.
  • D.Enable S3 static website hosting on the bucket and use the S3 website endpoint as the CloudFront origin so access controls can be enforced at CloudFront.

Why B: Option B is correct because CloudFront Origin Access Control (OAC) allows you to restrict S3 bucket access exclusively to CloudFront. By configuring the bucket policy to allow s3:GetObject only when the principal is cloudfront.amazonaws.com and the aws:SourceArn matches the CloudFront distribution ARN, you ensure that direct S3 URL requests are denied, even if the bucket name and object key are known. This prevents any unauthorized direct access to the S3 bucket.

Keep practising

More SAA-C03 practice questions

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This SAA-C03 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SAA-C03 exam.