AWS SAA-C03 · Question 01 · Domain 1.1: Secure Access
A company has multiple AWS accounts in an AWS Organizations organization. The security team needs to ensure that no user or role in any account can disable AWS CloudTrail. What is the MOST secure and efficient way to meet this requirement?
Answer options:
Create an IAM policy that denies the cloudtrail:StopLogging action and attach it to all IAM users in every account.
Create a Service Control Policy (SCP) that denies the cloudtrail:StopLogging action and attach it to the organization root.
Use AWS Config rules to automatically remediate and restart CloudTrail if it is stopped.
Modify the CloudTrail resource policy to deny the StopLogging action for all principals.
65 questions · hints · full answers · grading
Expert