Topic 1 Question 263
A company needs to prevent Amazon S3 objects from being shared with IAM identities outside of the company’s organization in AWS Organizations. A security engineer is creating and deploying an SCP to accomplish this goal. The company has enabled the S3 Block Public Access feature on all of its S3 buckets.
What should the SCP do to meet these requirements?
Deny the S3:* action with a Condition element that comprises an operator of StringNotEquals, a key of aws:ResourceOrgID, and a value of S{aws PrincipalOrgID}.
Deny the S3:PutAccountPublicAccessBlock action with a Condition element that comprises an operator of StringLike, a key of aws:PrincipalArn, and the values of the external IAM principals.
Allow the S3:* action with a Condition element that comprises an operator of StringNotEquals, a key of aws:PrincipalOrgID, and a value of S{aws:PrincipalOrgID}.
Deny the S3:* action with a Condition element that comprises an operator of StringLike, a key of aws:PrincipalArn, and the values of the external IAM principals
ユーザの投票
コメント(1)
- 正解だと思う選択肢: A
Use an SCP (Service Control Policy) – SCPs define what actions are allowed or denied across all accounts in an AWS Organization. Block access to resources for IAM principals outside of the organization – This ensures that only identities within the company’s AWS Organization can access the S3 objects. Use the correct condition key: aws:PrincipalOrgID refers to the organization ID of the AWS principal making the request. aws:ResourceOrgID refers to the organization ID of the AWS account that owns the resource. StringNotEquals ensures that the action is denied unless the resource belongs to the company’s organization.
👍 1AWSLoverLoverLoverLoverLover2025/02/20
シャッフルモード