A company centrally manages hundreds of AWS accounts using AWS Organizations. They have recently allowed product teams to create and manage their own S3 access points within their accounts, but these access points must only be accessible within VPCs and not on the internet. What is the most operationally efficient method to enforce this requirement?

Exam-Like

Set the S3 access point resource policy to deny the s3:CreateAccessPoint action unless the s3:AccessPointNetworkOrigin condition key evaluates to VPC.

50.0%

Create an SCP at the root level in the organization to deny the s3:CreateAccessPoint action unless the s3:AccessPointNetworkOrigin condition key evaluates to VPC.

37.5%

Use AWS CloudFormation StackSets to create a new IAM policy in each AWS account that allows the s3:CreateAccessPoint action only if the s3:AccessPointNetworkOrigin condition key evaluates to VPC.

12.5%

Set the S3 bucket policy to deny the s3:CreateAccessPoint action unless the s3:AccessPointNetworkOrigin condition key evaluates to VPC.

0.0%

AWS Certified Solutions Architect - Professional

Get started today

Comments