A company has multiple AWS accounts in an AWS Organizations organization. The security team wants to ensure that no user or role in any member account can disable AWS CloudTrail. <br/><br/>Which solution is the MOST secure and requires the LEAST operational overhead?

Answer options:

Create an IAM permissions boundary in each account that denies the cloudtrail:StopLogging action.

Create a Service Control Policy (SCP) that denies the cloudtrail:StopLogging action and attach it to the organization root.

Use AWS Config rules to automatically remediate and re-enable CloudTrail if it is disabled.

Modify the resource-based policy of the CloudTrail S3 bucket to deny the StopLogging API call.

How to approach this question

Identify the requirement for cross-account preventative security controls. AWS Organizations SCPs are the best fit for this.

Full Answer

B.Create a Service Control Policy (SCP) that denies the cloudtrail:StopLogging action and attach it to the organization root.✓ Correct

Service Control Policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization.

Common mistakes

Confusing SCPs (preventative) with AWS Config (detective/reactive).

All questions Question 02

Practice the full AWS SAA-C03 Practice Exam 4

65 questions · hints · full answers · grading

More questions from this exam

Q02An application running on Amazon EC2 instances needs to access an Amazon DynamoDB table. Both res...Easy Q03A company is designing a web application that will be hosted on AWS. The application will use an ...Medium Q04A company is building a mobile app that requires users to authenticate using their social media a...Hard Q05A solutions architect is designing a VPC for a three-tier web application. The database tier must...Medium Q06A company requires that all data stored in Amazon S3 must be encrypted at rest using keys managed...Easy

View all 65 questions →