Question 235:
Your company owns a large number of AWS accounts (1000+), and they are divided into dozens of AWS Organizations for better management. Your team owns an AWS account where an S3 bucket is created. You need to control the permissions so that only certain IAM users in one AWS Organization can read the objects in the S3 bucket. How would you configure the permissions for this S3 bucket?
Answer options:
A.In the S3 bucket policy, specify the IAM users` ARNs in the Principal field. Add a condition key aws:PrincipalOrgID to require the principal accounts to be in the organization. B.In the Principal field of the S3 bucket policy, add the AWS Organization ARN so that its IAM users are allowed to access the S3 bucket. C.Log in as the master account in the AWS Organization. Divide the IAM users into different Organizational Units. Use SCP in the OU to allow the read access to the S3 bucket. D.In the AWS Management Console, add the Organization ARN in S3 -> Permissions -> Access Control List and ensure that only the read bucket permissions are allowed.
