Ultimate access to all questions.
Answer-first summary for fast verification
Answer: Create a service control policy (SCP) that prohibits changes to CloudTrail, and attach it to the developer accounts.
## Explanation **Correct Answer: C** - Create a service control policy (SCP) that prohibits changes to CloudTrail, and attach it to the developer accounts. ### Why this is correct: 1. **Service Control Policies (SCPs)** are specifically designed for AWS Organizations to set permission boundaries for member accounts. They work at the organization level and can restrict what actions users and roles can perform, even if they have root user access. 2. **Root user access limitation**: Since developers have root user-level access to their accounts, traditional IAM policies won't be effective because root users can bypass IAM permissions. SCPs work at a higher level and apply to all users, including root users. 3. **Organization-wide security**: SCPs are attached to organizational units (OUs) or individual accounts within AWS Organizations, making them ideal for enforcing security controls across multiple accounts. ### Why other options are incorrect: **A. Create an IAM policy that prohibits changes to CloudTrail, and attach it to the root user.** - IAM policies cannot be attached to root users. Root users have complete administrative access and can bypass IAM policies. - Even if you could attach an IAM policy to the root user, root users can always remove or modify IAM policies. **B. Create a new trail in CloudTrail from within the developer accounts with the organization trails option enabled.** - This doesn't prevent modification of CloudTrail configurations. - The organization trails feature allows trails to be shared across accounts, but developers with root access could still modify or delete the trail. **D. Create a service-linked role for CloudTrail with a policy condition that allows changes only from an Amazon Resource Name (ARN) in the management account.** - Service-linked roles are for AWS services to perform actions on your behalf. - This approach doesn't prevent root users from modifying CloudTrail configurations directly. - Root users can still create, modify, or delete CloudTrail trails regardless of service-linked roles. ### Key AWS Concepts: - **SCPs** provide maximum permissions that can be delegated to users and roles in member accounts. - **Root users** have complete access to all AWS services and resources in the account. - **AWS Organizations** enables centralized management of multiple AWS accounts. - **CloudTrail** records AWS API calls for your account and delivers log files to an Amazon S3 bucket. This solution ensures that even developers with root user access cannot modify the mandatory CloudTrail configuration, maintaining security compliance across all developer accounts.
Author: LeetQuiz Editorial Team
No comments yet.
A solutions architect is designing a security solution for a company that wants to provide developers with individual AWS accounts through AWS Organizations, while also maintaining standard security controls. Because the individual developers will have AWS account root user-level access to their own accounts, the solutions architect wants to ensure that the mandatory AWS CloudTrail configuration that is applied to new developer accounts is not modified.
Which action meets these requirements?
A
Create an IAM policy that prohibits changes to CloudTrail, and attach it to the root user.
B
Create a new trail in CloudTrail from within the developer accounts with the organization trails option enabled.
C
Create a service control policy (SCP) that prohibits changes to CloudTrail, and attach it to the developer accounts.
D
Create a service-linked role for CloudTrail with a policy condition that allows changes only from an Amazon Resource Name (ARN) in the management account.