AWS Certified Solutions Architect – Associate (SAA-C02) — Question 219

A solutions architect is designing a security solution for a company that wants to provide developers with individual AWS accounts through AWS Organizations, while also maintaining standard security controls. Because the individual developers will have AWS account root user-level access to their own accounts, the solutions architect wants to ensure that the mandatory AWS CloudTrail configuration that is applied to new developer accounts is not modified.
Which action meets these requirements?

Answer options

• A. Create an IAM policy that prohibits changes to CloudTrail, and attach it to the root user.
• B. Create a new trail in CloudTrail from within the developer accounts with the organization trails option enabled.
• C. Create a service control policy (SCP) the prohibits changes to CloudTrail, and attach it the developer accounts.
• D. Create a service-linked role for CloudTrail with a policy condition that allows changes only from an Amazon Resource Name (ARN) in the management account.

Correct answer: C

Explanation

The correct answer is C because a service control policy (SCP) can be used to enforce restrictions on actions taken within the AWS accounts, including preventing changes to CloudTrail. Option A is incorrect as IAM policies attached to the root user do not effectively prevent modifications at the organizational level. Option B does not address the requirement to restrict changes to mandatory configurations, and option D is not suitable since it allows changes from specific ARNs rather than enforcing a global restriction across the developer accounts.