A healthcare company is migrating to AWS and must comply with HIPAA. They are setting up a multi-account structure. They need to ensure that AWS CloudTrail logs are immutable, encrypted, and centrally stored. Additionally, they must automatically detect if any CloudTrail logging is disabled across the organization. Which combination of steps should the Architect take? (Select THREE)

Create an organization trail in AWS Organizations that logs to a central S3 bucket.

Enable S3 Object Lock in compliance mode on the central CloudTrail S3 bucket.

Deploy an AWS Config rule (cloudtrail-enabled) across all accounts using AWS CloudFormation StackSets.

Use Amazon Macie to continuously monitor the CloudTrail S3 bucket for unauthorized modifications.

Create a Service Control Policy (SCP) that denies the s3:DeleteObject action on all S3 buckets in the organization.

Enable AWS Shield Advanced on the central CloudTrail S3 bucket to protect against DDoS attacks.