AWS Certified Security – Specialty (SCS-C02) — Question 53

A company manages multiple AWS accounts using AWS Organizations. The company’s security team notices that some member accounts are not sending AWS CloudTrail logs to a centralized Amazon S3 logging bucket. The security team wants to ensure there is at least one trail configured for all existing accounts and for any account that is created in the future.
Which set of actions should the security team implement to accomplish this?

Answer options

• A. Create a new trail and configure it to send CloudTrail logs to Amazon S3. Use Amazon EventBridge to send notification if a trail is deleted or stopped.
• B. Deploy an AWS Lambda function in every account to check if there is an existing trail and create a new trail, if needed.
• C. Edit the existing trail in the Organizations management account and apply it to the organization.
• D. Create an SCP to deny the cloudtrail:Delete* and cloudtrail:Stop* actions. Apply the SCP to all accounts.

Correct answer: C

Explanation

The correct answer is C because editing the existing trail in the Organizations management account allows it to be applied across all member accounts, ensuring compliance for current and future accounts. Option A introduces unnecessary complexity with notifications, while B requires deploying Lambda functions in every account, which is not efficient. Option D could prevent deletion or stopping of trails, but it does not ensure that a trail is actually created or configured in the first place.