ExpertMinds LogoExpertMinds
Medium1 markMultiple Choice
Domain 1.2: Security ControlsSecurityOrganizationsSCP

AWS SAP-C02 · Question 02 · Domain 1.2: Security Controls

A company uses AWS Organizations. The security team wants to ensure that no IAM user or role can disable AWS CloudTrail in any member account, even if they have AdministratorAccess. How can this be achieved?

Answer options:

A.

Create an IAM permissions boundary and attach it to all users and roles.

B.

Apply a Service Control Policy (SCP) to the organization root that denies the cloudtrail:StopLogging action.

C.

Use AWS Config rules to automatically restart CloudTrail if it is stopped.

D.

Enable CloudTrail Organization trails, which cannot be disabled by member accounts.

How to approach this question

Look for the mechanism that provides centralized, preventative guardrails across an organization.

Full Answer

B.Apply a Service Control Policy (SCP) to the organization root that denies the cloudtrail:StopLogging action.✓ Correct
Apply a Service Control Policy (SCP) to the organization root that denies the cloudtrail:StopLogging action.
SCPs are used to set preventative guardrails across all accounts in an AWS Organization.

Common mistakes

Confusing SCPs with IAM policies or boundaries.
01All questions03

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 1

75 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01An enterprise has 50 VPCs across two AWS Regions. They need to establish transitive routing betwe...HardQ03An application requires a relational database with an RPO of 1 second and an RTO of less than 1 m...HardQ04A company is setting up a new multi-account environment. They want to automate the provisioning o...MediumQ05An organization wants to allocate AWS costs to specific business units. They use AWS Organization...HardQ06A development team wants to implement a CI/CD pipeline that deploys an application to Amazon ECS....Medium
View all 75 questions →