An enterprise uses AWS Organizations with all features enabled. The CISO mandates that no AWS account can disable AWS CloudTrail, and this rule must apply to the root user of member accounts. What is the MOST secure way to enforce this?

Answer options:

Create an IAM policy denying cloudtrail:StopLogging and attach it to all users in all accounts.

Apply a Service Control Policy (SCP) to the Organization root that denies the cloudtrail:StopLogging action.

Use AWS Config rules to automatically remediate if CloudTrail is disabled.

Enable CloudTrail Organization trails from the management account.

How to approach this question

Identify the mechanism that can restrict the root user in member accounts.

Full Answer

B.Apply a Service Control Policy (SCP) to the Organization root that denies the cloudtrail:StopLogging action.✓ Correct

Apply a Service Control Policy (SCP) to the Organization root that denies the cloudtrail:StopLogging action.

Service Control Policies (SCPs) offer central control over the maximum available permissions for all accounts in your organization, including the root user.

Common mistakes

Relying on IAM policies, which local administrators can modify or bypass using the root user.

Question 05 All questions Question 07

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 6

75 questions · hints · full answers · grading

More questions from this exam

Q01A global enterprise requires highly available hybrid connectivity between its on-premises data ce...Hard Q02An organization has 50 VPCs across two AWS Regions connected via Transit Gateways (TGW). The TGWs...Hard Q03A company uses AWS Organizations. The network team wants to share a central Transit Gateway (TGW)...Medium Q04An enterprise has on-premises data centers in the US and Europe. They want to use the AWS global ...Hard Q05A company requires that all API calls to Amazon S3 from their VPC must not traverse the public in...Medium

View all 75 questions →