AWS Certified Solutions Architect – Associate (SAA-C03) — Question 998

A solutions architect is designing a security solution for a company that wants to provide developers with individual AWS accounts through AWS Organizations, while also maintaining standard security controls. Because the individual developers will have AWS account root user-level access to their own accounts, the solutions architect wants to ensure that the mandatory AWS CloudTrail configuration that is applied to new developer accounts is not modified.

Which action meets these requirements?

Answer options

• A. Create an IAM policy that prohibits changes to CloudTrail. and attach it to the root user.
• B. Create a new trail in CloudTrail from within the developer accounts with the organization trails option enabled.
• C. Create a service control policy (SCP) that prohibits changes to CloudTrail, and attach it the developer accounts.
• D. Create a service-linked role for CloudTrail with a policy condition that allows changes only from an Amazon Resource Name (ARN) in the management account.

Correct answer: C

Explanation

Service control policies (SCPs) are used to manage permissions in an organization, and they override even the root user permissions of member accounts. By applying an SCP that denies CloudTrail modification actions (such as StopLogging or DeleteTrail) to the developer accounts, the solutions architect ensures the configuration remains intact. IAM policies cannot restrict the root user of an account, making options that rely on IAM policies ineffective against root-level access.