A company has multiple AWS accounts in an AWS Organizations organization. The security team wants to ensure that AWS CloudTrail is enabled across all accounts and cannot be disabled by any local account administrators.<br/><br/>What is the MOST secure way to achieve this?

Answer options:

Create an IAM policy in each account that denies the cloudtrail:StopLogging action.

Use AWS Organizations Service Control Policies (SCPs) to deny the disabling of CloudTrail.

Use AWS Config rules to automatically remediate if CloudTrail is disabled.

Enable CloudTrail from the management account.

How to approach this question

Look for centralized, preventive controls when managing multiple accounts.

Full Answer

B.Use AWS Organizations Service Control Policies (SCPs) to deny the disabling of CloudTrail.✓ Correct

Use AWS Organizations Service Control Policies (SCPs) to deny the disabling of CloudTrail.

Service Control Policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. They offer central control over the maximum available permissions for all accounts.

Common mistakes

Confusing reactive controls (AWS Config) with preventive controls (SCPs).

All questions Question 02

Practice the full AWS SAA-C03 Practice Exam 6

65 questions · hints · full answers · grading

More questions from this exam

Q02A company has two AWS accounts: Account A for development and Account B for production. Developer...Medium Q03A mobile application needs to authenticate users using their social media accounts (Facebook, Goo...Easy Q04A company is running an application on Amazon EC2 instances. The application needs to connect to ...Medium Q05A company has 50 AWS accounts managed by AWS Organizations. The IT team wants to implement a cent...Easy Q06A company wants to restrict access to an Amazon S3 bucket so that only requests originating from ...Medium

View all 65 questions →