Answer-first summary for fast verification
Answer: Create an SCP that prohibits changes to the specific CloudTrail trail and apply the SCP to the appropriate organizational unit or account in Organizations.
The correct answer is C. An SCP (Service Control Policy) in AWS Organizations allows you to set permission guardrails for your organization or organizational units. By creating an SCP that prohibits changes to the specific CloudTrail trail and applying it to the appropriate organizational unit or account, you ensure that no DevOps team members can modify or disable the CloudTrail configuration. SCPs are enforced across all AWS accounts within the organization, making them a robust solution for this requirement.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
A company is setting up individual child accounts within AWS Organizations for each of its DevOps teams. AWS CloudTrail is configured across all accounts to log audit events to a centralized Amazon S3 bucket in a designated AWS account. A security engineer must ensure that DevOps team members cannot alter or disable this CloudTrail configuration. What measures can the security engineer implement to achieve this?
A
Create an IAM policy that prohibits changes to the specific CloudTrail trail and apply the policy to the AWS account root user.
B
Create an S3 bucket policy in the specified destination account for the CloudTrail trail that prohibits configuration changes from the AWS account root user in the source account.
C
Create an SCP that prohibits changes to the specific CloudTrail trail and apply the SCP to the appropriate organizational unit or account in Organizations.
D
Create an IAM policy that prohibits changes to the specific CloudTrail trail and apply the policy to a new IAM group. Have team members use individual IAM accounts that are members of the new IAM group.
No comments yet.