A large enterprise uses AWS Organizations to manage multiple accounts. The security team wants to ensure that no user or role in any member account can disable AWS CloudTrail. What is the MOST efficient way to enforce this?

Answer options:

Create an IAM policy denying cloudtrail:StopLogging and attach it to all users in all accounts.

Create a Service Control Policy (SCP) that denies the cloudtrail:StopLogging action and attach it to the root of the organization.

Use AWS Config rules to automatically remediate if CloudTrail is disabled.

Configure CloudTrail to use a KMS key that no one has access to.

How to approach this question

Identify the requirement for cross-account permission boundaries and select SCPs.

Full Answer

B.Create a Service Control Policy (SCP) that denies the cloudtrail:StopLogging action and attach it to the root of the organization.✓ Correct

Create a Service Control Policy (SCP) that denies the cloudtrail:StopLogging action and attach it to the root of the organization.

Service Control Policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. They ensure that accounts stay within your organization's access control guidelines.

Common mistakes

Confusing SCPs with standard IAM policies.

Question 03 All questions Question 05

Practice the full AWS SAA-C03 Practice Exam 5

65 questions · hints · full answers · grading

More questions from this exam

Q01A company needs to grant an external auditor read-only access to specific AWS resources. The audi...Easy Q02An application running on EC2 instances needs to access objects in an S3 bucket. The security tea...Medium Q03A company is designing a VPC for a multi-tier web application. They need to block specific malici...Medium Q05A company hosts a web application on an Application Load Balancer (ALB). They are experiencing SQ...Medium Q06A financial company requires that all data stored in Amazon S3 is encrypted at rest using keys ma...Hard

View all 65 questions →