Q84 — AWS DOP-C02 Ch.3
Question 84 of 100 | ← Chapter 3
A security team wants to use AWS CloudTrail to monitor management events and API calls across multiple accounts within the same AWS Organization. The security team needs to ensure that account users cannot disable CloudTrail in their accounts.
- A. Apply a Service Control Policy (SCP) to all OUs denying the `cloudtrail:StopLogging` and `cloudtrail:DeleteTrail` actions. ✓
- B. Create IAM policies in each account denying the `cloudtrail:StopLogging` and `cloudtrail:DeleteTrail` actions.
- C. Set up Amazon CloudWatch Alarms to notify the security team when a user disables CloudTrail in an account.
- D. Use AWS Config to automatically re-enable CloudTrail if a user disables it in an account.
Correct Answer: A. Apply a Service Control Policy (SCP) to all OUs denying the `cloudtrail:StopLogging` and `cloudtrail:DeleteTrail` actions.
Explanation
AWS Organizations Service Control Policies (SCPs) centrally manage permissions across an organization or specific organizational units (OUs). As documented by AWS, SCPs define permission boundaries by explicitly allowing or denying actions for member accounts. To prevent users from disabling CloudTrail, the `cloudtrail:StopLogging` and `cloudtrail:DeleteTrail` API actions must be denied. Option A uses an SCP to deny these two actions across all targeted OUs, ensuring consistent, centralized enforcement. Option B relies on per-account IAM policies, introducing management complexity and potential privilege escalation risks. Options C and D are reactive mechanisms and cannot proactively prevent CloudTrail deactivation. AWS best practices recommend SCPs for enforcing critical service protections at scale.