Your company owns a large number of AWS accounts (1000+), and they are divided into dozens of AWS Organizations for better management.
Your team owns an AWS account where an S3 bucket is created.
You need to control the permissions so that only certain IAM users in one AWS Organization can read the objects in the S3 bucket.
How would you configure the permissions for this S3 bucket?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - A.
The S3 bucket should allow the IAM users from the AWS Organization.
The condition key aws:PrincipalOrgID can be added in the S3 bucket policy.
An example can be found in.
https://aws.amazon.com/blogs/security/control-access-to-aws-resources-by-using-the-aws-organization-of-iam-principals/.Option A is CORRECT: The condition key aws:PrincipalOrgID can be used to check if the requesting principal belongs with the identifier specified in the policy.
Please refer to.
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html.Option B is incorrect: Because you cannot add an AWS Organization ARN in the Principal field.
The following items can be specified as principals in a policy:
AWS account and root user.
IAM users.
Federated users (using web identity or SAML federation)
IAM roles.
Assumed-role sessions.
AWS services.
Anonymous users (not recommended)
Option C is incorrect: Because SCP in an OU can be regarded as a permission boundary.
You still need the S3 bucket policy to allow cross-account access.
Option D is incorrect: Because in the S3 Access Control List, you cannot add an Organization ARN.
Check the below snapshot:
To control access to an S3 bucket so that only specific IAM users in one AWS Organization can read the objects, we can use a combination of S3 bucket policies and AWS Organizations Service Control Policies (SCPs).
Answer A is the correct answer. Here's why:
The Principal field in an S3 bucket policy specifies who is allowed or denied access to the bucket. We need to specify the ARNs of the IAM users who should be allowed to read objects in the S3 bucket.
Example:
json{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowOrganizationReadAccess", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::ACCOUNT-ID:root", "arn:aws:iam::ACCOUNT-ID:user/user-name" ] }, "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::example-bucket/*" ] } ] }
aws:PrincipalOrgID
to require the principal accounts to be in the organization.The aws:PrincipalOrgID
condition key ensures that only IAM users in a specific AWS Organization are allowed access to the S3 bucket. We need to specify the organization ID in this condition key.
Example:
json{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowOrganizationReadAccess", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::ACCOUNT-ID:root", "arn:aws:iam::ACCOUNT-ID:user/user-name" ] }, "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::example-bucket/*" ], "Condition": { "StringEquals": { "aws:PrincipalOrgID": "o-abcdefg" } } } ] }
This policy allows IAM users with ARNs "arn:aws:iam::ACCOUNT-ID:root"
and "arn:aws:iam::ACCOUNT-ID:user/user-name"
in the AWS Organization with ID "o-abcdefg"
to read objects in the S3 bucket with the name "example-bucket"
.
Answer B is incorrect because adding the AWS Organization ARN to the Principal field in the S3 bucket policy will not grant access to IAM users in that organization. The Principal field only specifies individual IAM users, IAM roles, or AWS accounts.
Answer C is incorrect because Service Control Policies (SCPs) cannot grant access to specific S3 buckets. SCPs can only limit permissions for IAM entities (users, groups, roles) in an AWS Organization.
Answer D is incorrect because the Access Control List (ACL) is not the recommended way to manage access to S3 buckets. Bucket policies are a more flexible and powerful way to control access to S3 buckets. Additionally, adding the Organization ARN to the ACL will not grant access to IAM users in that organization. The ACL only controls access for individual AWS accounts or IP addresses.