ExpertAWS SAP-C02 · Question 19 · Domain 1.2: Security Controls
An enterprise uses AWS Organizations. The security team wants to ensure that no IAM user or role in any member account can disable AWS CloudTrail. However, the central security team's IAM role in the management account must retain this ability. How should this be implemented?
An enterprise uses AWS Organizations. The security team wants to ensure that no IAM user or role in any member account can disable AWS CloudTrail. However, the central security team's IAM role in the management account must retain this ability. How should this be implemented?
Answer options:
Create an SCP that denies the cloudtrail:StopLogging action. Apply it to the root of the organization. SCPs do not affect the management account.
Create an IAM permissions boundary that denies cloudtrail:StopLogging and attach it to all users and roles in all accounts.
Create an SCP that denies cloudtrail:StopLogging, but add a condition to allow it if the Principal is the security team's role.
Use AWS Config to automatically re-enable CloudTrail if it is disabled.
How to approach this question
Full Answer
Common mistakes
Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 7
75 questions · hints · full answers · grading