What CloudFront feature allows only designated distributions to access S3 buckets using short-term credentials?

The correct answer is Origin Access Control. This feature is specifically designed to allow only designated CloudFront distributions to access S3 buckets while using short-term credentials. When you configure your CloudFront distribution with Origin Access Control, it ensures that the traffic coming from the CloudFront distribution is authenticated and authorized to access the S3 bucket. This acts as a security measure to prevent direct access to your S3 bucket from the internet, thus protecting your stored content.

By employing Origin Access Control, you can effectively restrict access to your S3 bucket content, allowing only CloudFront to retrieve objects on behalf of your users. This model enhances security by consolidating traffic through CloudFront, allowing for improved monitoring, caching, and reduced costs associated with data transfer rates from S3.

Other options are not tailored for this exact functionality. CloudFront Access Control is a general term that does not specify the strategic mechanism for accessing S3, while an S3 Bucket Policy is used for defining access controls on the bucket itself, which could allow broader access than intended. Lastly, a CloudFront Security Policy is not a standard term used within AWS services, making it irrelevant in this context.