Q37 — AWS SCS-C02 Ch.1

Question 37 of 100 | ← Chapter 1

A company needs to prevent Amazon S3 objects from being shared with IAM identities outside of the company's organization in AWS Organizations.A security engineer is creating and deploying an SCP to accomplish this goal.The company has enabled the S3 Block Public Access feature on allof its S3 buckets. What should the SCP do to meet these requirements?

Correct Answer: A. Deny the S3:*action with a Condition element that comprises an operator of StringNotEquals, a key of aws:ResourceorglD,and a value of S{aws PrincipalorgID}.

Explanation

AWS SCP(Service Control Policy)用于限制成员账户的权限范围。根据AWS Organizations文档,aws:PrincipalOrgID和aws:ResourceOrgID是用于确保资源仅在同一AWS组织内共享的条件键。选项A通过Deny S3:*并在Condition中使用StringNotEquals比较ResourceOrgID与PrincipalOrgID,确保仅当请求者和资源在同一组织时才允许操作。其他选项要么限制不全面(B、D),要么语法错误(C),或无法覆盖所有场景。正确答案为A。