A company has multiple AWS accounts in an AWS Organizations organization. The security team needs to ensure that no user or role in any account can disable AWS CloudTrail. What is the MOST secure and efficient way to meet this requirement?

Answer options:

Create an IAM policy that denies the cloudtrail:StopLogging action and attach it to all IAM users in every account.

Create a Service Control Policy (SCP) that denies the cloudtrail:StopLogging action and attach it to the organization root.

Use AWS Config rules to automatically remediate and restart CloudTrail if it is stopped.

Modify the CloudTrail resource policy to deny the StopLogging action for all principals.

How to approach this question

Identify the requirement for cross-account preventive security controls. SCPs are the standard AWS Organizations feature for this.

B.Create a Service Control Policy (SCP) that denies the cloudtrail:StopLogging action and attach it to the organization root.✓ Correct

Create a Service Control Policy (SCP) that denies the cloudtrail:StopLogging action and attach it to the organization root.

Service Control Policies (SCPs) offer central control over the maximum available permissions for all accounts in your organization.

Confusing IAM policies (which apply to specific identities) with SCPs (which apply to entire accounts/OUs).

65 questions · hints · full answers · grading