Option B is the correct solution because Amazon Q Business natively supports access control lists (ACLs) for S3 data sources using a single, centralized JSON file that maps S3 prefixes to IAM Identity Center groups. This approach directly aligns with the company’s data organization model, where each department’s data is stored under a distinct S3 prefix and each employee belongs to exactly one department group.

Using a single acl.json file at the bucket root minimizes operational overhead by centralizing access control logic in one location. Administrators can update department mappings without touching individual folders or changing IAM permissions, which simplifies governance and reduces the risk of configuration drift. Amazon Q Business automatically evaluates the user’s IAM Identity Center group membership at query time and filters accessible documents accordingly.

Option A increases operational complexity by requiring a separate ACL file in every department folder, which becomes difficult to maintain as departments or prefixes change. Option C attempts to enforce access using IAM permissions sets, but Amazon Q Business access control for S3 data sources is not designed to be managed through IAM condition logic and would significantly increase complexity. Option D introduces a custom metadata structure that is not the supported mechanism for Amazon Q Business access enforcement.

Therefore, Option B provides the cleanest, most scalable, and AWS-recommended solution for enforcing department-based access control with the least operational effort.