AWS Certified Security – Specialty (SCS-C02) — Question 245

A company has configured an organization in AWS Organizations for its AWS accounts. AWS CloudTrail is enabled in all AWS Regions.

A security engineer must implement a solution to prevent CloudTrail from being disabled.

Which solution will meet this requirement?

Answer options

• A. Enable CloudTrail log file integrity validation from the organization’s management account.
• B. Enable server-side encryption with AWS KMS keys (SSE-KMS) for CloudTrail logs. Create a KMS key. Attach a policy to the key to prevent decryption of the logs.
• C. Create an SCP that includes an explicit Deny rule for the StopLogging action and the DeleteTrail action. Attach the SCP to the root OU.
• D. Create IAM policies for all the company’s users to prevent the users from performing the DescribeTrails action and the GetTrailStatus action.

Correct answer: C

Explanation

The correct answer is C because implementing an SCP with explicit Deny rules effectively prevents actions that could disable CloudTrail logging. Options A and B focus on protecting logs rather than preventing CloudTrail from being disabled, while D restricts visibility but does not stop disabling the service itself.