AWS Certified Security – Specialty — Question 175

A company manages multiple AWS accounts using AWS Organizations. The company's security team notices that some member accounts are not sending AWS
CloudTrail logs to a centralized Amazon S3 logging bucket. The security team wants to ensure there is at least one trail configured for all existing accounts and for any account that is created in the future.
Which set of actions should the security team implement to accomplish this?

Answer options

• A. Create a new trail and configure it to send CloudTrail logs to Amazon S3. Use Amazon EventBridge (Amazon CloudWatch Events) to send notification if a trail is deleted or stopped.
• B. Deploy an AWS Lambda function in every account to check if there is an existing trail and create a new trail, if needed.
• C. Edit the existing trail in the Organizations master account and apply it to the organization.
• D. Create an SCP to deny the cloudtrail:Delete* and cloudtrail:Stop* actions. Apply the SCP to all accounts.

Correct answer: C

Explanation

The correct answer is C because editing the existing trail in the Organizations master account and applying it to the organization ensures that all member accounts are covered by the same logging configuration. Option A, while it creates a new trail, does not guarantee coverage for existing accounts. Option B requires manual intervention for each account, which is not efficient, and option D restricts actions but does not ensure that trails are created or maintained.