Topic 1 Question 286
A company manages hundreds of AWS accounts centrally in an organization in AWS Organizations. The company recently started to allow product teams to create and manage their own S3 access points in their accounts. The S3 access points can be accessed only within VPCs, not on the internet.
What is the MOST operationally efficient way to enforce this requirement?
Set the S3 access point resource policy to deny the s3:CreateAccessPoint action unless the s3:AccessPointNetworkOrigin condition key evaluates to VPC.
Create an SCP at the root level in the organization to deny the s3:CreateAccessPoint action unless the s3:AccessPointNetworkOrigin condition key evaluates to VPC.
Use AWS CloudFormation StackSets to create a new IAM policy in each AWS account that allows the s3:CreateAccessPoint action only if the s3:AccessPointNetworkOrigin condition key evaluates to VPC.
Set the S3 bucket policy to deny the s3:CreateAccessPoint action unless the s3:AccessPointNetworkOrigin condition key evaluates to VPC.
ユーザの投票
コメント(12)
- 正解だと思う選択肢: B
B - Since you have 100s of accounts. If it was a single account, then A. https://aws.amazon.com/blogs/storage/managing-amazon-s3-access-with-vpc-endpoints-and-s3-access-points/
👍 3SmileyCloud2023/06/27 B - This approach ensures centralized policy management and consistent enforcement across all AWS accounts within the organization. It avoids the need for configuring bucket policies or access point resource policies in each individual account, making it operationally efficient.
👍 2Don20212023/06/21- 正解だと思う選択肢: B
B when the question mention AWS Organizations, use SCP always the good choice.
👍 2PhuocT2023/06/24
シャッフルモード