AWS Certified Security - Specialty
Get started today
Ultimate access to all questions.
Comments
Loading comments...
Ultimate access to all questions.
A company uses AWS Organizations to manage multiple AWS accounts. The security team has observed that some member accounts are not forwarding AWS CloudTrail logs to a central Amazon S3 bucket. To enforce logging across all accounts, both existing and future ones, what actions should the security team take?
A
Create a new trail and configure it to send CloudTrail logs to Amazon S3. Use Amazon EventBridge to send notification if a trail is deleted or stopped.
B
Deploy an AWS Lambda function in every account to check if there is an existing trail and create a new trail, if needed.
C
Edit the existing trail in the Organizations management account and apply it to the organization.
D
Create an SCP to deny the cloudtrail:Delete* and cloudtrail:Stop* actions. Apply the SCP to all accounts.