A large enterprise uses AWS Organizations to manage multiple accounts. The security team wants to ensure that no user, including root users, can disable AWS CloudTrail in any member account. Which TWO actions should the solutions architect take? (Select TWO.)

Answer options:

Create a Service Control Policy (SCP) that explicitly denies the cloudtrail:StopLogging action.

Attach an IAM permissions boundary to all IAM users in the member accounts.

Attach the SCP to the root of the AWS Organization.

Use AWS Config rules to automatically remediate disabled CloudTrail instances.

Create an IAM role in the management account to monitor CloudTrail status.

How to approach this question

Look for preventative controls that apply globally, including to root users. SCPs are the only mechanism for this.

Full Answer

Create a Service Control Policy (SCP) denying CloudTrail disablement and attach it to the root of the organization.

Service Control Policies (SCPs) offer central control over the maximum available permissions for all accounts in an organization. They can prevent any user, including root, from performing specific actions.

Common mistakes

Thinking IAM policies or boundaries can restrict member account root users.

Question 01 All questions Question 03

Practice the full AWS SAA-C03 Practice Exam 3

65 questions · hints · full answers · grading

More questions from this exam

Q01A company stores sensitive documents in an Amazon S3 bucket. The security team requires that only...Easy Q03A company hosts a web application on Amazon EC2 instances behind an Application Load Balancer (AL...Easy Q04A company wants to continuously monitor its AWS accounts for malicious activity and unauthorized ...Medium Q05A company needs to encrypt data at rest in Amazon RDS and manage database credentials securely. T...Medium Q06An application running on Amazon EC2 needs to access an Amazon DynamoDB table. What is the MOST s...Easy

View all 65 questions →