A company is setting up individual child accounts within AWS Organizations for each of its DevOps teams. AWS CloudTrail is configured across all accounts to log audit events to a centralized Amazon S3 bucket in a designated AWS account. A security engineer must ensure that DevOps team members cannot alter or disable this CloudTrail configuration. What measures can the security engineer implement to achieve this?

Exam-Like

Create an IAM policy that prohibits changes to the specific CloudTrail trail and apply the policy to the AWS account root user.

16.7%

Create an S3 bucket policy in the specified destination account for the CloudTrail trail that prohibits configuration changes from the AWS account root user in the source account.

16.7%

Create an SCP that prohibits changes to the specific CloudTrail trail and apply the SCP to the appropriate organizational unit or account in Organizations.

50.0%

Create an IAM policy that prohibits changes to the specific CloudTrail trail and apply the policy to a new IAM group. Have team members use individual IAM accounts that are members of the new IAM group.

16.7%

AWS Certified Security - Specialty

Get started today

Comments