A company has several AWS accounts managed via AWS Organizations.
One of the AWS accounts has an S3 bucket that stores critical data for the company.
How can you ensure that only the users in the AWS Organizations have access to this bucket?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: A.
Option A is CORRECT because you can use a new condition key, aws:PrincipalOrgID, in IAM policies to require all principals to access the resource from an account in the organization.
Option B is incorrect because the condition in the IAM policy has to mention aws:PrincipalOrgID instead of aws:AccountNumber to allow access from individuals within your organization.
Option C is incorrect because to satisfy the ask, we should add aws:PrincipalOrgID instead of aws:PrincipalID to allow selective Principals from AWS Organization to access S3 resources.
Option D is incorrect because aws:OrgID is an invalid condition key type and would not satisfy the ask condition.
For more information on controlling access via Organizations, kindly refer to the following URL:
https://aws.amazon.com/blogs/security/control-access-to-aws-resources-by-using-the-aws-organization-of-iam-principals/The correct answer is A. Ensure the bucket policy has a condition that involves aws:PrincipalOrgID.
Explanation: AWS Organizations allows you to manage multiple AWS accounts as a single entity. You can use AWS Organizations to consolidate billing and manage access control policies across multiple AWS accounts. In this scenario, the company has several AWS accounts managed via AWS Organizations, and one of the AWS accounts has an S3 bucket that stores critical data for the company. The goal is to ensure that only the users in the AWS Organizations have access to this bucket.
To achieve this, you can use the aws:PrincipalOrgID condition in the bucket policy. The aws:PrincipalOrgID condition allows you to specify that only IAM users or roles from AWS accounts that are members of the specified AWS Organization can access the S3 bucket. You can set this condition in the bucket policy by specifying the AWS Organization ID as the value for the aws:PrincipalOrgID key.
For example, the following bucket policy allows access only to IAM users or roles from AWS accounts that are members of the specified AWS Organization:
json{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::example-bucket/*", "Condition": { "StringEquals": { "aws:PrincipalOrgID": "o-0123456789abcdef" } } } ] } In this example, the bucket policy allows any IAM user or role from an AWS account that is a member of the AWS Organization with ID o-0123456789abcdef to access the S3 bucket.
Option B (Ensure the bucket policy has a condition that involves aws:AccountNumber) is incorrect because the aws:AccountNumber condition would allow access only to IAM users or roles from a specific AWS account, not an AWS Organization.
Option C (Ensure the bucket policy has a condition that involves aws:PrincipalID) is incorrect because the aws:PrincipalID condition would allow access only to a specific IAM user or role, not an AWS Organization.
Option D (Ensure the bucket policy has a condition that involves aws:OrgID) is incorrect because there is no such condition as aws:OrgID. The correct condition is aws:PrincipalOrgID.