AWS Certified SysOps Administrator – Associate (legacy) — Question 655

A company has several accounts between different teams and wants to increase its auditing and compliance capabilities. The accounts are managed through
AWS Organizations. Management wants to provide the security team with secure access to the account logs while also restricting the possibility for the logs to be modified.
How can a SysOps administrator achieve this is with the LEAST amount of operational overhead?

Answer options

• A. Store AWS CloudTrail logs in Amazon S3 in each account. Create a new account to store compliance data and replicate the objects into the newly created account.
• B. Store AWS CloudTrail logs in Amazon S3 in each account. Create an IAM user with read-only access to the CloudTrail logs.
• C. From the master account, create an organization trail using AWS CloudTrail and apply it to all Regions. Use IAM roles to restrict access.
• D. Use an AWS CloudFormation stack set to create an AWS CloudTrail trail in every account and restrict permissions to modify the logs.

Correct answer: C

Explanation

Creating an organization trail in AWS CloudTrail from the management account automatically deploys the trail across all member accounts in the organization, which minimizes administrative overhead. This centralized approach ensures that member accounts cannot modify or delete the trail, and access to the resulting log files can be securely managed using IAM roles. Other options, such as managing individual trails per account or setting up replication manually, introduce significant operational complexity.