Q84 — AWS DOP-C02 Ch.3

Question 84 of 100 | ← Chapter 3

A security team wants to use AWS CloudTrail to monitor management events and API calls across multiple accounts within the same AWS Organization. The security team needs to ensure that account users cannot disable CloudTrail in their accounts.

Correct Answer: A. Apply a Service Control Policy (SCP) to all OUs denying the `cloudtrail:StopLogging` and `cloudtrail:DeleteTrail` actions.

Explanation

AWS Organizations Service Control Policies (SCPs) centrally manage permissions across an organization or specific organizational units (OUs). As documented by AWS, SCPs define permission boundaries by explicitly allowing or denying actions for member accounts. To prevent users from disabling CloudTrail, the `cloudtrail:StopLogging` and `cloudtrail:DeleteTrail` API actions must be denied. Option A uses an SCP to deny these two actions across all targeted OUs, ensuring consistent, centralized enforcement. Option B relies on per-account IAM policies, introducing management complexity and potential privilege escalation risks. Options C and D are reactive mechanisms and cannot proactively prevent CloudTrail deactivation. AWS best practices recommend SCPs for enforcing critical service protections at scale.