What solution should be implemented to restrict access to S3 static websites only through CloudFront?

Implementing an origin access identity (OAI) is the correct solution for restricting access to Amazon S3 static websites solely through CloudFront. An OAI is a special CloudFront user that allows CloudFront to access your S3 bucket while preventing direct access from the public. By using an OAI, you can configure your S3 bucket policy to allow only the OAI to access the objects in the bucket, effectively blocking all other requests that don’t come through CloudFront.

This setup is ideal for controlling access to static website content that you want to serve through CloudFront, as it enforces a more secure method of access. As a result, users can only access the content via the CloudFront distribution, which can take advantage of caching, improved latency, and other features provided by CloudFront.

In contrast, security groups and global accelerators are not designed for controlling access in this particular context, and Shield Advanced is a service focused on DDoS protection rather than access management. Therefore, using an origin access identity is the most appropriate and effective approach for this scenario.