ExpertMinds LogoExpertMinds
Medium1 markMultiple Choice
Domain 1.1: Secure AccessDomain 1SecurityAWS OrganizationsSCP

AWS SAA-C03 · Question 01 · Domain 1.1: Secure Access

A company has multiple AWS accounts in an AWS Organizations organization. The security team wants to ensure that no user or role in any member account can disable AWS CloudTrail. What is the MOST efficient way to enforce this requirement?

Answer options:

A.

Create an IAM policy denying the cloudtrail:StopLogging action and attach it to all users in every account.

B.

Create a Service Control Policy (SCP) that denies the cloudtrail:StopLogging action and attach it to the organization root.

C.

Configure AWS Config rules in each account to automatically remediate if CloudTrail is disabled.

D.

Use AWS CloudFormation StackSets to deploy a resource-based policy to the CloudTrail bucket.

How to approach this question

Identify the requirement for cross-account, centralized permission boundaries. SCPs are the standard AWS Well-Architected way to enforce organization-wide guardrails.

Full Answer

B.Create a Service Control Policy (SCP) that denies the cloudtrail:StopLogging action and attach it to the organization root.✓ Correct
Create a Service Control Policy (SCP) that denies the cloudtrail:StopLogging action and attach it to the organization root.
Service Control Policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization. By attaching an SCP to the root, it cascades down to all OUs and member accounts.

Common mistakes

Confusing IAM policies (which must be applied per account/user) with SCPs (which apply organization-wide guardrails).
All questions02

Practice the full AWS SAA-C03 Practice Exam 1

65 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q02A solutions architect is designing an application that will run on Amazon EC2 instances. The appl...EasyQ03A company wants to implement a federated identity solution for its employees to access the AWS Ma...MediumQ04A mobile application needs to access Amazon DynamoDB directly to read user-specific data. The app...HardQ05A company is hosting a web application on Amazon EC2 instances. The application connects to an Am...MediumQ06A solutions architect is reviewing the security of an AWS account. The architect notices that the...Easy
View all 65 questions →