The correct answer is Risk based allocation of controls.

This principle states that security controls are chosen and assigned according to the assessed risk level and the sensitivity of each information resource. By focusing controls where the risk and impact are highest organizations can use resources efficiently and reduce overall exposure.

In practice at a payments firm like SummitPay this means classifying systems such as payment processing and customer data as high sensitivity and applying stronger preventive and detective controls to them while using lighter controls for lower risk systems.

Cloud Identity and Access Management is a specific type of service for managing identities and access in cloud environments and not a principle for how controls are allocated by asset criticality.

Segregation of duties is a control design principle that separates tasks and approvals to reduce fraud and error and it does not address assigning controls based on the sensitivity or criticality of information resources.

Defense in depth describes the use of multiple layers of controls across an environment to improve resilience and it complements a risk based approach but it does not by itself require controls to be allocated according to each resource's criticality.

Full AWS Practitioner Certification Question