Answer: Add the aws:PrincipalOrgID global condition key with a reference to the organization ID to the S3 bucket policy.

## Explanation The correct answer is **A** because: 1. **aws:PrincipalOrgID** is a global condition key that automatically checks whether the principal (user/role) belongs to the specified AWS Organization ID. 2. This solution requires minimal operational overhead - you only need to add a single condition to the S3 bucket policy referencing your organization ID. 3. It automatically applies to all current and future accounts within the organization without manual updates. ### Why other options are incorrect: **B** (aws:PrincipalOrgPaths): While this could work, it requires creating OUs for each department and managing OU paths, which adds operational overhead compared to simply using the organization ID. **C** (CloudTrail monitoring): This approach requires continuous monitoring, automation to update policies, and maintenance of event handling logic - significant operational overhead. **D** (PrincipalTag): This requires manually tagging each user and maintaining those tags as users change, creating ongoing operational overhead. ### Key AWS Concepts: - **aws:PrincipalOrgID**: A global condition key that checks if the principal belongs to a specific AWS Organization - **S3 bucket policies**: JSON-based policies that control access to S3 resources - **AWS Organizations**: Service for centrally managing multiple AWS accounts - **Least operational overhead**: The solution should be simple, require minimal maintenance, and automatically adapt to organizational changes This solution ensures that only principals from accounts within your AWS Organization can access the S3 bucket, meeting security requirements with minimal administrative effort.

Author: LeetQuiz Editorial Team