AWS Certified Security - Specialty (#22)

In response to the past DDoS attack experiences, a Security Engineer has set up an Amazon CloudFront distribution for an Amazon S3 bucket. There is concern that some users may bypass the CloudFront distribution and access the S3 bucket directly. What must be done to prevent users from accessing the S3 objects directly by using URLs?

Change the S3 bucket/object permission so that only the bucket owner has access.
Set up a CloudFront origin access identity (OAI), and change the S3 bucket/object permission so that only the OAI has access.
Create IAM roles for CloudFront, and change the S3 bucket/object permission so that only the IAM role has access.
Redirect S3 bucket access to the corresponding CloudFront distribution.