AWS Certified Security – Specialty (SCS-C02) — Question 264

A company needs to prevent Amazon S3 objects from being shared with IAM identities outside of the company’s organization in AWS Organizations. A security engineer is creating and deploying an SCP to accomplish this goal. The company has enabled the S3 Block Public Access feature on all of its S3 buckets.

What should the SCP do to meet these requirements?

Answer options

• A. Deny the S3:* action with a Condition element that comprises an operator of StringNotEquals, a key of aws:ResourceOrgID, and a value of S{aws PrincipalOrgID}.
• B. Deny the S3:PutAccountPublicAccessBlock action with a Condition element that comprises an operator of StringLike, a key of aws:PrincipalArn, and the values of the external IAM principals.
• C. Allow the S3:* action with a Condition element that comprises an operator of StringNotEquals, a key of aws:PrincipalOrgID, and a value of S{aws:PrincipalOrgID}.
• D. Deny the S3:* action with a Condition element that comprises an operator of StringLike, a key of aws:PrincipalArn, and the values of the external IAM principals

Correct answer: A

Explanation

The correct answer is A, as it effectively denies S3 actions for resources that do not belong to the organization's ID, preventing external IAM identities from accessing S3 objects. Option B is incorrect because it pertains to denying account public access settings rather than object access. Option C allows actions instead of denying them and incorrectly uses aws:PrincipalOrgID. Option D denies access based on PrincipalArn, which does not specifically restrict actions to internal identities.