AWS Certified Solutions Architect – Associate (SAA-C02) — Question 463

A company uses AWS Organizations to manage multiple AWS accounts for different departments. The management account has an Amazon S3 bucket that contains project reports. The company wants to limit access to this S3 bucket to only users of accounts within the organization in AWS Organizations.
Which solution meets these requirements with the LEAST amount of operational overhead?

Answer options

• A. Add the aws:PrincipalOrgID global condition key with a reference to the organization ID to the S3 bucket policy.
• B. Create an organizational unit (OU) for each department. Add the aws:PrincipalOrgPaths global condition key to the S3 bucket policy.
• C. Use AWS CloudTrail to monitor the CreateAccount, InviteAccountToOrganization, LeaveOrganization, and RemoveAccountFromOrganization events. Update the S3 bucket policy accordingly.
• D. Tag each user that needs access to the S3 bucket. Add the aws:PrincipalTag global condition key to the S3 bucket policy.

Correct answer: D

Explanation

Applying tags to authorized users and utilizing the aws:PrincipalTag global condition key in the S3 bucket policy provides a highly scalable and low-overhead method to control access. This attribute-based access control (ABAC) avoids the need to constantly update bucket policies as users change, unlike manual policy updates or tracking organization membership events via CloudTrail. Other options either require complex organizational unit path management or do not scale as efficiently for user-level access restriction.