AWS Certified Solutions Architect – Associate (SAA-C03) — Question 13

A company uses AWS Organizations to manage multiple AWS accounts for different departments. The management account has an Amazon S3 bucket that contains project reports. The company wants to limit access to this S3 bucket to only users of accounts within the organization in AWS Organizations.
Which solution meets these requirements with the LEAST amount of operational overhead?

Answer options

• A. Add the aws PrincipalOrgID global condition key with a reference to the organization ID to the S3 bucket policy.
• B. Create an organizational unit (OU) for each department. Add the aws:PrincipalOrgPaths global condition key to the S3 bucket policy.
• C. Use AWS CloudTrail to monitor the CreateAccount, InviteAccountToOrganization, LeaveOrganization, and RemoveAccountFromOrganization events. Update the S3 bucket policy accordingly.
• D. Tag each user that needs access to the S3 bucket. Add the aws:PrincipalTag global condition key to the S3 bucket policy.

Correct answer: A

Explanation

The correct answer is A because adding the aws:PrincipalOrgID condition key to the S3 bucket policy directly restricts access to only those users in accounts that belong to the organization, reducing complexity and overhead. The other options either introduce unnecessary complexity (B and D) or require additional monitoring and updates (C) which increases operational overhead.