What must you configure in Amazon CloudFront to allow access to a private Amazon S3 bucket?

To allow access to a private Amazon S3 bucket through Amazon CloudFront, it is essential to add trusted signers to your distribution. This process involves specifying accounts that can generate signed URLs or signed cookies, which are necessary to grant timed and restricted access to objects within your private S3 bucket. CloudFront uses these signatures to verify that the requests are authorized, ensuring that only users with valid credentials can access the content stored in the private S3 bucket.

Using trusted signers secures your assets by keeping the S3 bucket private while leveraging CloudFront’s edge locations for content delivery. This method allows you to maintain control over who can access your content while still benefiting from the speed and efficiency that CloudFront offers.

The other options do not provide a valid way to secure access to a private S3 bucket via CloudFront. Establishing VPN connectivity, for example, pertains more to securing a private network connection but does not help in granting public access through a CDN like CloudFront. Enabling public access would contradict the intention of keeping the S3 bucket private, while configuring IAM roles is not directly applicable to how CloudFront handles access to S3 content for end users.