AWS Certified Security – Specialty (SCS-C02) — Question 263

A company uses an organization in AWS Organizations to help separate its Amazon EC2 instances and VPCs. The company has separate OUs for development workloads and production workloads.

A security engineer must ensure that only AWS accounts in the production OU can write VPC flow logs to an Amazon S3 bucket. The security engineer is configuring the S3 bucket policy with a Condition element to allow the s3:PutObject action for VPC flow logs.

How should the security engineer configure the Condition element to meet these requirements?

Answer options

• A. Set the value of the aws:SourceOrgID condition key to be the organization ID.
• B. Set the value of the aws:SourceOrgPaths condition key to be the Organizations entity path of the production OU.
• C. Set the value of the aws:ResourceOrgID condition key to be the organization ID.
• D. Set the value of the aws:ResourceOrgPaths condition key to be the Organizations entity path of the production OU.

Correct answer: B

Explanation

The correct answer is B because the aws:SourceOrgPaths condition key restricts access based on the specified organizational unit path, allowing only accounts in the production OU to write to the S3 bucket. The other options do not effectively limit the permissions to only the accounts in the production OU, with A and C focusing on the organization ID, which does not filter by OU, and D incorrectly applies the ResourceOrgPaths condition key, which is not relevant for the PutObject action.