Configuring Permissions for S3 Bucket in AWS Organizations

Controlling Permissions for S3 Bucket in AWS Organizations

Prev Question Next Question

Question

Your company owns a large number of AWS accounts (1000+), and they are divided into dozens of AWS Organizations for better management.

Your team owns an AWS account where an S3 bucket is created.

You need to control the permissions so that only certain IAM users in one AWS Organization can read the objects in the S3 bucket.

How would you configure the permissions for this S3 bucket?

Answers

A. In the S3 bucket policy, specify the IAM users` ARNs in the Principal field. Add a condition key aws:PrincipalOrgID to require the principal accounts to be in the organization.

B. In the Principal field of the S3 bucket policy, add the AWS Organization ARN so that its IAM users are allowed to access the S3 bucket.

C. Log in as the master account in the AWS Organization. Divide the IAM users into different Organizational Units. Use SCP in the OU to allow the read access to the S3 bucket.

D. In the AWS Management Console, add the Organization ARN in S3 -> Permissions -> Access Control List and ensure that only the read bucket permissions are allowed.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer - A.

The S3 bucket should allow the IAM users from the AWS Organization.

The condition key aws:PrincipalOrgID can be added in the S3 bucket policy.

An example can be found in.

https://aws.amazon.com/blogs/security/control-access-to-aws-resources-by-using-the-aws-organization-of-iam-principals/.

Option A is CORRECT: The condition key aws:PrincipalOrgID can be used to check if the requesting principal belongs with the identifier specified in the policy.

Please refer to.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html.

Option B is incorrect: Because you cannot add an AWS Organization ARN in the Principal field.

The following items can be specified as principals in a policy:

AWS account and root user.

IAM users.

Federated users (using web identity or SAML federation)

IAM roles.

Assumed-role sessions.

AWS services.

Anonymous users (not recommended)

Option C is incorrect: Because SCP in an OU can be regarded as a permission boundary.

You still need the S3 bucket policy to allow cross-account access.

Option D is incorrect: Because in the S3 Access Control List, you cannot add an Organization ARN.

Check the below snapshot:

Access for other AWS accounts

*F Add account

Canonical ID ©

List objects Write objects

e

[Enter a canonical ID or an er.

Cancel

Yes

e

Yes

Read bucket
permissions ©

Yes

Write bucket
permissions ©

Yes

To control access to an S3 bucket so that only specific IAM users in one AWS Organization can read the objects, we can use a combination of S3 bucket policies and AWS Organizations Service Control Policies (SCPs).

Answer A is the correct answer. Here's why:

In the S3 bucket policy, specify the IAM users' ARNs in the Principal field.

The Principal field in an S3 bucket policy specifies who is allowed or denied access to the bucket. We need to specify the ARNs of the IAM users who should be allowed to read objects in the S3 bucket.

Example:

json
{   "Version": "2012-10-17",   "Statement": [     {       "Sid": "AllowOrganizationReadAccess",       "Effect": "Allow",       "Principal": {         "AWS": [           "arn:aws:iam::ACCOUNT-ID:root",            "arn:aws:iam::ACCOUNT-ID:user/user-name"         ]       },       "Action": [         "s3:GetObject"       ],       "Resource": [         "arn:aws:s3:::example-bucket/*"       ]     }   ] }

Add a condition key aws:PrincipalOrgID to require the principal accounts to be in the organization.

The aws:PrincipalOrgID condition key ensures that only IAM users in a specific AWS Organization are allowed access to the S3 bucket. We need to specify the organization ID in this condition key.

Example:

json
{   "Version": "2012-10-17",   "Statement": [     {       "Sid": "AllowOrganizationReadAccess",       "Effect": "Allow",       "Principal": {         "AWS": [           "arn:aws:iam::ACCOUNT-ID:root",            "arn:aws:iam::ACCOUNT-ID:user/user-name"         ]       },       "Action": [         "s3:GetObject"       ],       "Resource": [         "arn:aws:s3:::example-bucket/*"       ],       "Condition": {         "StringEquals": {           "aws:PrincipalOrgID": "o-abcdefg"         }       }     }   ] }

This policy allows IAM users with ARNs "arn:aws:iam::ACCOUNT-ID:root" and "arn:aws:iam::ACCOUNT-ID:user/user-name" in the AWS Organization with ID "o-abcdefg" to read objects in the S3 bucket with the name "example-bucket".

Answer B is incorrect because adding the AWS Organization ARN to the Principal field in the S3 bucket policy will not grant access to IAM users in that organization. The Principal field only specifies individual IAM users, IAM roles, or AWS accounts.

Answer C is incorrect because Service Control Policies (SCPs) cannot grant access to specific S3 buckets. SCPs can only limit permissions for IAM entities (users, groups, roles) in an AWS Organization.

Answer D is incorrect because the Access Control List (ACL) is not the recommended way to manage access to S3 buckets. Bucket policies are a more flexible and powerful way to control access to S3 buckets. Additionally, adding the Organization ARN to the ACL will not grant access to IAM users in that organization. The ACL only controls access for individual AWS accounts or IP addresses.

Prev Question Next Question