Exam AWS Certified Security - Specialty topic 1 question 307 discussion

C is correct. Once all the AWS accounts are invited to the organization, you can define the aws:PrincipalOrgID condition and set the value to your organization ID in the S3 bucket policy. Then only the accounts in your Organization can access the S3 bucket and any new account also will have the same policy applied.

Correct answer is C.

C makes sense.. use "aws:PrincipalOrgID" in bucket policy

Organizations provide a centralized location where accounts can be managed, with the least amount of operational overhead. C

It is not B because says to maintain a list, using orgID is faster

CT is best practice but the scenario asks for LEAST operational overhead so it's definitely C.

https://aws.amazon.com/blogs/security/control-access-to-aws-resources-by-using-the-aws-organization-of-iam-principals/ To require the principal account to be in my organization, I add a condition to my policy using the global condition key aws:PrincipalOrgID. This condition requires that only principals from accounts in my organization can access the S3 bucket. This means that although Steve is one of the principals in the policy, he can’t access the financial report because the account that he is a member of doesn’t belong to my organization.

C is correct AWS Identity and Access Management (IAM) now makes it easier for you to control access to your AWS resources by using the AWS organization of IAM principals (users and roles). For some services, you grant permissions using resource-based policies to specify the accounts and principals that can access the resource and what actions they can perform on it. Now, you can use a new condition key, aws:PrincipalOrgID, in these policies to require all principals accessing the resource to be from an account (including the master account) in the organization. For example, let’s say you have an Amazon S3 bucket policy and you want to restrict https://aws.amazon.com/blogs/security/control-access-to-aws-resources-by-using-the-aws-organization-of-iam-principals/

Option C is Correct Question asks about "organization wishes to block customers who do not have company-owned AWS accounts from accessing a corporate-owned Amazon S3 bucket." --> All comapany accounts should be in Organization to Use the aws:PrincipalOrgID

AWS Control Tower creates your landing zone using AWS Organizations, thereby bringing together ongoing account management and governance, as well as implementation of best practices based on our experience of working with thousands of customers as they migrate to the cloud. AWS CT lets builders provision new AWS accounts in just a few clicks, while you have peace of mind knowing that your accounts conform to company-wide policies. AWS customers can implement AWS CT, extend governance into new or existing accounts, and quickly gain visibility into their compliance status. should be "C"

Sorry. I read the options again. C actually talks about adding ALL AWS accounts.

A - No B- Yes. Also talk about S3 bucket protection C - No. The question is asking to maintain ALL the accounts not just AWS accounts. D - No. It could've been correct but it doesn’t talk about S3 protection