A company is designing a multi-account architecture. They need to ensure that developers in 'Sandbox' accounts have administrative access, but they absolutely cannot disable AWS CloudTrail or modify AWS Config rules. Which TWO actions should the architect take? (Select TWO)

Answer options:

Attach an IAM policy to the developers granting AdministratorAccess.

Use AWS IAM permissions boundaries to restrict CloudTrail and Config access.

Place the Sandbox accounts in a specific Organizational Unit (OU).

Deploy a Lambda function to automatically re-enable CloudTrail if disabled.

Apply a Service Control Policy (SCP) to the Sandbox OU denying 'cloudtrail:StopLogging' and 'config:DeleteConfigRule'.

Remove AdministratorAccess from the developers.

How to approach this question

Use AWS Organizations features to enforce immutable guardrails.

By placing the accounts in an OU and applying an SCP, you create a preventive guardrail that even account administrators cannot bypass.

Relying on IAM policies or boundaries which local admins can modify.

75 questions · hints · full answers · grading