AWS Certified Security – Specialty — Question 274

A company wants to gain better control of its large number of AWS accounts by establishing a centralized location where the accounts can be managed. The company also wants to prevent any users outside the company-owned AWS accounts from accessing a company Amazon S3 bucket.
Which solution meets these requirements with the LEAST amount of operational overhead?

Answer options

• A. Implement an organization in AWS Organizations. Build a detective control by monitoring AWS CloudTrail logs for attempts to access the S3 bucket from IP addresses outside the company.
• B. Deploy an AWS Control Tower landing zone, and migrate the accounts. Create an S3 bucket policy that restricts access to only a principal list of accounts that have been manually entered.
• C. Create an organization in AWS Organizations. Invite the AWS accounts to join the organization. Create a resource policy that includes a PrincipalOrgID condition key for the S3 bucket.
• D. Invite all of the company's AWS accounts into AWS Control Tower. Use AWS Control Tower's automatic protection for the AWS accounts to deny access from external users.

Correct answer: C

Explanation

Using AWS Organizations allows centralized management of AWS accounts, while applying an S3 resource policy with the aws:PrincipalOrgID condition key automatically restricts access to only accounts belonging to that organization. This approach requires the least operational overhead because it eliminates the need to manually update a list of allowed accounts as new ones are added. Other options either involve high manual maintenance, detective-only controls that do not prevent access, or features that do not natively exist in AWS Control Tower for this specific S3 use case.