AWS Certified Security – Specialty — Question 246

A company plans to create individual child accounts within an existing organization in AWS Organizations for each of its DevOps teams. AWS CloudTrail has been enabled and configured on all accounts to write audit logs to an Amazon S3 bucket in a centralized AWS account. A security engineer needs to ensure that
DevOps team members are unable to modify or disable this configuration.
How can the security engineers meet these requirements?

Answer options

• A. Create an IAM policy that prohibits changes to the specific CloudTrail trail and apply the policy to the AWS account root user.
• B. Create an S3 bucket policy in the specified destination account for the CloudTrail trail that prohibits configuration changes from the AWS account root user in the source account.
• C. Create an SCP that prohibits changes to the specific CloudTrail trail and apply the SCP to the appropriate organizational unit or account in Organizations.
• D. Create an IAM policy that prohibits changes to the specific CloudTrail trail and apply to a new IAM group. Have team members use individual IAM accounts that are members of the new IAM group.

Correct answer: C

Explanation

The correct answer is C because Service Control Policies (SCPs) are designed to manage permissions across AWS Organizations, ensuring that even root users cannot override the settings. Option A is incorrect as applying an IAM policy to the root user does not prevent other users from making changes. Option B is not suitable since S3 bucket policies cannot enforce restrictions on services like CloudTrail in other accounts. Option D, while it restricts changes, does not provide the same level of control as an SCP across the organization.