A developer is deploying a website hosted in an Amazon S3 bucket. An Amazon CloudFront distribution will be deployed in front of the S3 bucket to cache the content. The developer requires that users may only access the website using the CloudFront distribution and should not be able to access the website directly by using the S3 URL. Which configurations should a security engineer make to support these requirements? (Select TWO.)