What is the MOST operationally efficient way to enforce this requirement?
Set the S3 access point resource policy to deny the s3:CreateAccessPoint action unless the s3:AccessPointNetworkOrigin condition key evaluates to VPC.
Create an SCP at the root level in the organization to deny the s3:CreateAccessPoint action unless the s3:AccessPointNetworkOrigin condition key evaluates to VPC.
Use AWS CloudFormation StackSets to create a new IAM policy in each AWS account that allows the s3:CreateAccessPoint action only if the s3:AccessPointNetworkOrigin condition key evaluates to VPC.
Set the S3 bucket policy to deny the s3:CreateAccessPoint action unless the s3:AccessPointNetworkOrigin condition key evaluates to VPC.
Explanations:
While setting the S3 access point resource policy can control access at the resource level, it does not prevent the creation of access points in the first place. It only affects the permissions after an access point is created.
Creating a Service Control Policy (SCP) at the root level ensures that the condition is enforced across all accounts in the organization. This prevents any account from creating S3 access points that do not meet the VPC condition, thus providing a centralized and operationally efficient control mechanism.
Using AWS CloudFormation StackSets to create IAM policies in each account adds operational overhead and complexity. Each account would need to maintain and update its own policy, which is less efficient than using a centralized SCP.
Setting a bucket policy applies only to specific buckets and does not prevent the creation of access points. It also requires manual updates for each bucket, making it less efficient than using SCPs for organization-wide enforcement.
I compute that the answer is:
Create an SCP at the root level in the organization to deny the s3:CreateAccessPoint action unless the s3:AccessPointNetworkOrigin condition key evaluates to VPC.
I would say the answer is:
Create an SCP at the root level in the organization to deny the s3:CreateAccessPoint action unless the s3:AccessPointNetworkOrigin condition key evaluates to VPC.