AWS Certified Solutions Architect - Associate
Get started today
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
A company uses AWS Organizations to manage multiple AWS accounts for different departments. The management account has an Amazon S3 bucket that contains project reports. The company wants to limit access to this S3 bucket to only users of accounts within the organization in AWS Organizations.
Which solution meets these requirements with the LEAST amount of operational overhead?
Other
Community
UAnonymous
A
Add the aws:PrincipalOrgID global condition key with a reference to the organization ID to the S3 bucket policy.
B
Create an organizational unit (OU) for each department. Add the aws:PrincipalOrgPaths global condition key to the S3 bucket policy.
C
Use AWS CloudTrail to monitor the CreateAccount, InviteAccountToOrganization, LeaveOrganization, and RemoveAccountFromOrganization events. Update the S3 bucket policy accordingly.
D
Tag each user that needs access to the S3 bucket. Add the aws:PrincipalTag global condition key to the S3 bucket policy.
Explanation:
Explanation
The correct answer is A because:
- aws:PrincipalOrgID is a global condition key that automatically checks whether the principal (user/role) belongs to the specified AWS Organization ID.
- This solution requires minimal operational overhead - you only need to add a single condition to the S3 bucket policy referencing your organization ID.
- It automatically applies to all current and future accounts within the organization without manual updates.
Why other options are incorrect:
B (aws:PrincipalOrgPaths): While this could work, it requires creating OUs for each department and managing OU paths, which adds operational overhead compared to simply using the organization ID.
C (CloudTrail monitoring): This approach requires continuous monitoring, automation to update policies, and maintenance of event handling logic - significant operational overhead.
D (PrincipalTag): This requires manually tagging each user and maintaining those tags as users change, creating ongoing operational overhead.
Key AWS Concepts:
- aws:PrincipalOrgID: A global condition key that checks if the principal belongs to a specific AWS Organization
- S3 bucket policies: JSON-based policies that control access to S3 resources
- AWS Organizations: Service for centrally managing multiple AWS accounts
- Least operational overhead: The solution should be simple, require minimal maintenance, and automatically adapt to organizational changes
This solution ensures that only principals from accounts within your AWS Organization can access the S3 bucket, meeting security requirements with minimal administrative effort.
Comments
Loading comments...