{"id":373,"date":"2022-02-09T05:51:51","date_gmt":"2022-02-09T05:51:51","guid":{"rendered":"https:\/\/exampracticetests.com\/aws\/Security-Specialty_SCS-C01\/aws-certified-security-specialty-scs-c01-question307\/"},"modified":"2022-02-09T05:51:51","modified_gmt":"2022-02-09T05:51:51","slug":"aws-certified-security-specialty-scs-c01-question307","status":"publish","type":"post","link":"https:\/\/exampracticetests.com\/aws\/Security-Specialty_SCS-C01\/aws-certified-security-specialty-scs-c01-question307\/","title":{"rendered":"AWS Certified Security – Specialty SCS-C01 – Question307"},"content":{"rendered":"
A company wants to gain better control of its large number of AWS accounts by establishing a centralized location where the accounts can be managed. The company also wants to prevent any users outside the company-owned AWS accounts from accessing a company Amazon S3 bucket.
\nWhich solution meets these requirements with the LEAST amount of operational overhead?

A.<\/strong> Implement an organization in AWS Organizations. Build a detective control by monitoring AWS CloudTrail logs for attempts to access the S3 bucket from IP addresses outside the company.
B.<\/strong> Deploy an AWS Control Tower landing zone, and migrate the accounts. Create an S3 bucket policy that restricts access to only a principal list of accounts that have been manually entered.
C.<\/strong> Create an organization in AWS Organizations. Invite the AWS accounts to join the organization. Create a resource policy that includes a PrincipalOrgID condition key for the S3 bucket.
D.<\/strong> Invite all of the company's AWS accounts into AWS Control Tower. Use AWS Control Tower's automatic protection for the AWS accounts to deny access from external users.<\/div>\n

<\/p>\n