AWS SAP-C02 · Question 33 · Domain 1.2: Security Controls
A company is using AWS Organizations. The security team wants to ensure that no one, including the root user of member accounts, can disable AWS CloudTrail. They have applied a Service Control Policy (SCP) to the root of the organization denying the cloudtrail:StopLogging action. However, during an audit, they discover that an administrator in a member account was able to disable CloudTrail. What is the MOST likely reason for this?
Answer options:
The CloudTrail trail was created locally in the member account, and the administrator deleted the trail instead of stopping it.
The administrator used the AWS root user credentials of the member account, which bypasses SCPs.
The member account had an IAM policy with an explicit Allow for cloudtrail:StopLogging, which overrides the SCP.
The SCP was attached to the Workloads OU, but the member account was in the Security OU.
75 questions · hints · full answers · grading
Expert