The AWS accounts in your company are managed in AWS Organizations and Organizational Units (OUs)
In one AWS account, there is an S3 bucket that stores sensitive documents.
The S3 bucket should only allow the AWS accounts from one OU of your Organization to get its objects.
Which of the following methods is the easiest one to achieve the requirement?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - B.
Option A is incorrect: Because you have to fill in all the IAM entities in the OU.
This option is not the easiest solution.
Option B is CORRECT: Because the condition key “aws:PrincipalOrgPaths” can check if the principal comes from the OU.
Option C is incorrect: Because SCP adds a permission boundary and you still need to use the S3 bucket policy to assign permissions.
Option D is incorrect: Because you have to set up all the required AWS accounts, and it is hard to maintain when the AWS accounts are changed in the OU.
Option B is easier than this one.
Reference:
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html https://aws.amazon.com/blogs/security/iam-share-aws-resources-groups-aws-accounts-aws-organizations/The easiest method to restrict access to an S3 bucket to only specific AWS accounts within an OU in AWS Organizations is to use an S3 bucket policy with the appropriate IAM principals.
Option A: In the S3 bucket policy, add all the IAM entities from the OU to the Principal field and allow read access. This option is correct as it is the easiest way to restrict access to an S3 bucket for a specific set of IAM entities, in this case, those in an OU. You can use a bucket policy to specify which AWS accounts or IAM users or roles are allowed to access the objects in the bucket. You can also use a policy to specify what actions are allowed (e.g., GET, PUT, DELETE). In this case, the policy should be set to allow read access for the IAM entities within the OU, and deny access to any other AWS accounts.
Option B: Add the condition key “aws:PrincipalOrgPaths” in the S3 bucket policy to allow access based on the principal's organization path. This option is incorrect, as it is not the easiest method to restrict access to an S3 bucket to specific AWS accounts within an OU. Using "aws:PrincipalOrgPaths" can allow or deny access to the bucket based on the organization path of the IAM principal. However, it requires specifying the organization path of each IAM entity that should have access, which can be cumbersome and time-consuming.
Option C: Add a Service Control Policy (SCP) to the OU that allows the get object action. This option is incorrect because SCPs are used to set permissions that apply to all AWS accounts within an OU or its child OUs. SCPs are not specific to S3 buckets, and they are not the easiest method to restrict access to a specific S3 bucket.
Option D: In the S3 Access Control List, allow access for all the AWS accounts in the OU and its child OUs. This option is incorrect because using an ACL is not the easiest method to restrict access to an S3 bucket to specific AWS accounts within an OU. An ACL applies to a specific object within a bucket, whereas a bucket policy applies to all objects within the bucket. Also, using an ACL can be complicated, as you need to specify the AWS account IDs or IAM users or roles that should have access to each object in the bucket.
Therefore, option A is the easiest and most straightforward method to restrict access to an S3 bucket to specific AWS accounts within an OU in AWS Organizations.