A company uses AWS Organizations to manage multiple AWS accounts for different departments. The management account owns an Amazon S3 bucket that contains project reports. The company wants to restrict access to this S3 bucket to only users of accounts within the AWS Organization. Which solution meets this requirement with the least operational overhead?
Choose an answer
Tap an option to check your answer.
Correct answer: Add the aws PrincipalOrgID global condition key with a reference to the organization ID to the S3 bucket policy..
Why this is the answer
The aws:PrincipalOrgID global condition key restricts access to an S3 bucket to only principals (users or roles) belonging to accounts within a specific AWS Organization. By adding this condition with the organization's ID to the S3 bucket policy, you ensure that only authorized accounts within your organization can access the bucket, regardless of which account they are in. This is the most straightforward and least operationally intensive method. Using aws:PrincipalOrgPaths is more complex as it requires specifying the full path of OUs, which adds management overhead if the organizational structure changes. CloudTrail monitoring and policy updates are reactive and highly manual, leading to significant operational overhead and potential security gaps. Tagging users is not scalable and requires continuous management as users and roles change.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed