Q44 — AWS SAP-C02 Ch.3

Question 44 of 75 | ← Chapter 3

Q269. A company manages hundreds of AWS accounts centrally in an organization in AWS Organizations. The company recently started to allow product teams to create and manage their own S3 access points in their accounts. The S3 access points can be accessed only within VPCs, not on the internet. What is the MOST operationally efficient way to enforce this requirement?

Correct Answer: B. Create an SCP at the root level in the organization to deny the s3: CreateAccessPoint action unless the s3: AccessPointNetworkOrigin condition key evaluates to VPC.

Explanation

Creating a Service Control Policy (SCP) at the root level in the organization to deny the s3:CreateAccessPoint action unless the s3:AccessPointNetworkOrigin condition key evaluates to VPC is the most operationally efficient way to enforce this requirement. This solution provides centralized control over the policy, and it can be enforced across all AWS accounts. Option A is not optimal because it only applies to individual access points, making it challenging to manage when there are many accounts and access points. Option C might add unnecessary complexity to the solution, as it requires creating an IAM policy for each AWS account using CloudFormation StackSets. Option D is not recommended because setting the S3 bucket policy to restrict access to the S3 access point does not provide granularity and flexibility for future changes. "You can set up AWS SCPs to require any new Access Point in the organization to be restricted to VPC- Only type. This makes sure that any Access Point created in your organization provides access only from within the VPCs and there by firewalling your data to within your private networks."