AWS Certified Solutions Architect – Associate (SAA-C02) — Question 481

A company's security policy requires that all AWS API activity in its AWS accounts be recorded for periodic auditing. The company needs to ensure that AWS
CloudTrail is enabled on all of its current and future AWS accounts using AWS Organizations.
Which solution is MOST secure?

Answer options

• A. At the organization's root, define and attach a service control policy (SCP) that permits enabling CloudTrail only.
• B. Create IAM groups in the organization's management account as needed. Define and attach an IAM policy to the groups that prevents users from disabling CloudTrail.
• C. Organize accounts into organizational units (OUs). At the organization's root, define and attach a service control policy (SCP) that prevents users from disabling CloudTrail.
• D. Add all existing accounts under the organization's root. Define and attach a service control policy (SCP) to every account that prevents users from disabling CloudTrail.

Correct answer: C

Explanation

Attaching a Service Control Policy (SCP) at the organization's root ensures that the policy is automatically inherited by all existing and future accounts, effectively preventing any user (including root) from disabling CloudTrail. Option C is the most secure and scalable approach because organizing accounts into OUs aligns with AWS best practices, whereas applying SCPs individually to each account (Option D) is administrative overhead and prone to human error for future accounts. Option A would block all other AWS API activities besides CloudTrail, and Option B's IAM policies cannot govern administrative actions in member accounts.