ExpertMedium1 markMultiple Choice
AWS SAP-C02 · Question 28 · Domain 1.4: Multi-Account Environment
A company has a centralized logging account. They want to ensure that AWS CloudTrail logs from all 100 member accounts in their Organization are sent to an S3 bucket in the logging account, and member account admins cannot disable this. What is the BEST solution?
A company has a centralized logging account. They want to ensure that AWS CloudTrail logs from all 100 member accounts in their Organization are sent to an S3 bucket in the logging account, and member account admins cannot disable this. What is the BEST solution?
Answer options:
A.
Create a CloudTrail trail in each account and configure cross-account S3 permissions.
B.
Create an Organization Trail in the management account.
C.
Use AWS Config to enforce CloudTrail enablement.
D.
Use an SCP to deny the cloudtrail:StopLogging action.
How to approach this question
Identify the centralized logging feature of AWS Organizations.
Full Answer
B.Create an Organization Trail in the management account.✓ Correct
Create an Organization Trail in the management account.
An Organization Trail logs all events for all AWS accounts in the organization and prevents member accounts from modifying it.
Common mistakes
Relying on individual trails + SCPs instead of the native Organization Trail.
Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 3
75 questions · hints · full answers · grading
More questions from this exam
Q01An enterprise has 100 VPCs across 5 AWS Regions. They need to establish a highly available, trans...HardQ02A company uses AWS Organizations. The CISO requires that no EC2 instances can be launched outside...MediumQ03An application uses Amazon Aurora PostgreSQL. To meet disaster recovery requirements, the databas...HardQ04A company is setting up a new multi-account AWS environment. They want to automate the creation o...MediumQ05An organization wants to allocate AWS costs to specific departments. They use multiple AWS accoun...Medium