{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Access-to-specific-ou-only",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::<bucket-name>/*",
"Condition": {
"StringNotEquals": {
"aws:PrincipalOrgID": "<you-org-id>"
}
}
}
]
}