AWS Certified Solutions Architect – Professional — Question 1011

A company is planning a migration from an on-premises data center to the AWS Cloud. The company plans to use multiple AWS accounts that are managed in an organization in AWS Organizations. The company will create a small number of accounts initially and will add accounts as needed. A solutions architect must design a solution that turns on AWS CloudTrail in all AWS accounts.
What is the MOST operationally efficient solution that meets these requirements?

Answer options

• A. Create an AWS Lambda function that creates a new CloudTrail trail in all AWS accounts in the organization. Invoke the Lambda function daily by using a scheduled action in Amazon EventBridge (Amazon CloudWatch Events).
• B. Create a new CloudTrail trail in the organization's management account. Configure the trail to log all events for all AWS accounts in the organization.
• C. Create a new CloudTrail trail in all AWS accounts in the organization. Create new trails whenever a new account is created. Define an SCP that prevents deletion or modification of trails. Apply the SCP to the root OU.
• D. Create an AWS Systems Manager Automation runbook that creates a CloudTrail trail in all AWS accounts in the organization. Invoke the automation by using Systems Manager State Manager.

Correct answer: B

Explanation

Creating an organization trail from the management account automatically applies to all existing and future member accounts, making it the most operationally efficient solution. Options A and D introduce unnecessary complexity by utilizing custom Lambda functions or Systems Manager runbooks to manage the trails. Option C is operationally inefficient because it requires manual intervention to deploy trails whenever a new account is created.