A company plans to create individual child accounts within an existing organization in AWS Organizations for each of its DevOps teams. AWS CloudTrail has been enabled and configured on all accounts to write audit logs to an Amazon S3 bucket in a centralized AWS account. A security engineer needs to ensure that DevOps team members are unable to modify or disable this configuration. How can the security engineers meet these requirements?
A) Create an IAM policy that prohibits changes to the specific CloudTrail trail and apply the policy to the AWS account root user.
B) Create an S3 bucket policy in the specified destination account for the CloudTrail trail that prohibits configuration changes from the AWS account root user in the source account.
C) Create an SCP that prohibits changes to the specific CloudTrail trail and apply the SCP to the appropriate organizational unit or account in Organizations.
D) Create an IAM policy that prohibits changes to the specific CloudTrail trail and apply to a new IAM group. Have team members use individual IAM accounts that are members of the new IAM group.
Correct Answer:
Verified
Q275: A large government organization is moving to
Q276: A company is undergoing a layer 3
Q277: A large company has hundreds of AWS
Q278: A company has an IAM group. All
Q279: A company is hosting a web application
Q281: A company needs its Amazon Elastic Block
Q282: A security engineer must develop an encryption
Q283: A company has a serverless application for
Q284: A company's on-premises networks are connected to
Q285: A company stores images for a website
Unlock this Answer For Free Now!
View this answer and more for free by performing one of the following actions
Scan the QR code to install the App and get 2 free unlocks
Unlock quizzes for free by uploading documents