Which solution meets these requirements with the LEAST amount of operational overhead?
Implement an organization in AWS Organizations. Build a detective control by monitoring AWS CloudTrail logs for attempts to access the S3 bucket from IP addresses outside the company.
Deploy an AWS Control Tower landing zone, and migrate the accounts. Create an S3 bucket policy that restricts access to only a principal list of accounts that have been manually entered.
Create an organization in AWS Organizations. Invite the AWS accounts to join the organization. Create a resource policy that includes a PrincipalOrgID condition key for the S3 bucket.
Invite all of the company’s AWS accounts into AWS Control Tower. Use AWS Control Tower’s automatic protection for the AWS accounts to deny access from external users.
Explanations:
Implementing AWS CloudTrail logs and monitoring IP addresses for access outside company accounts is reactive and requires ongoing management. It doesn’t provide direct control over access to the S3 bucket.
AWS Control Tower landing zone doesn’t directly solve the issue of limiting access to an S3 bucket. The manual S3 bucket policy requires constant management and doesn’t provide centralized control over the AWS accounts.
Using AWS Organizations and the PrincipalOrgID condition key for the S3 bucket policy allows for centralized management of accounts, ensuring only company-owned accounts can access the S3 bucket. This solution minimizes operational overhead.
AWS Control Tower’s automatic protection is focused on governance and management, but it doesn’t directly address restricting access to an S3 bucket for external users. It doesn’t provide a specific method to block non-company users from accessing the bucket.