AWS Certified Security – Specialty — Question 361

A company is using AWS Organizations to create OUs for its accounts. The company has more than 20 accounts that are all part of the OUs. A security engineer must implement a solution to ensure that no account can stop log file delivery to AWS CloudTrail.

Which solution will meet this requirement?

Answer options

• A. Use the --is-multi-region-trail option while running the create-trail command to ensure that logs are configured across all AWS Regions.
• B. Create an SCP that includes a Deny rule for the cloudtrail:StopLogging action. Apply the SCP to all accounts in the OUs.
• C. Create an SCP that includes an Allow rule for the cloudtrail:StopLogging action. Apply the SCP to all accounts in the OUs.
• D. Use AWS Systems Manager to ensure that CloudTrail is always turned on.

Correct answer: B

Explanation

A Service Control Policy (SCP) with an explicit Deny rule for the cloudtrail:StopLogging action restricts all users and roles, including the root user, from disabling CloudTrail logging within the target member accounts. Because an explicit Deny in an SCP overrides any permissions granted at the IAM level, this ensures log delivery cannot be stopped. Other options, such as using AWS Systems Manager or creating an Allow SCP, do not enforce this restriction.