Ultimate access to all questions.
A DevOps engineer is tasked with implementing a consistent set of security measures across multiple AWS accounts organized under AWS Organizations. Each account is to be managed by separate teams with the AdministratorAccess policy. The requirement is to activate AWS CloudTrail and AWS Config in all AWS Regions for these accounts. While individual account administrators should not have the ability to alter or remove the foundational resources, they must be allowed to modify or remove their own CloudTrail trails and AWS Config rules. What is the most operationally efficient solution to achieve these security and administrative requirements?
A
Develop an AWS CloudFormation template that specifies the standard resources for each account and deploy it to all accounts via CloudFormation StackSets from the management account, applying a stack policy that prohibits Update:Delete actions.
B
Set up AWS Control Tower, integrate the existing accounts into this framework, and provide individual account administrators with access to manage CloudTrail and AWS Config.
C
Appoint an AWS Config management account to oversee the configuration of AWS Config recorders across all accounts using AWS CloudFormation StackSets, distribute AWS Config rules to the organization through the management account, establish a CloudTrail organization trail in the management account, and use an SCP to prevent changes or deletions to the AWS Config recorders.
D
Craft an AWS CloudFormation template that outlines the standard resources for each account, deploy it to all accounts using CloudFormation StackSets from the management account, and implement an SCP to block updates or deletions to CloudTrail or AWS Config resources unless executed by an administrator from the management account.