Q5 — AWS SCS-C02 Ch.1

Question 5 of 100 | ← Chapter 1

A company has configured an organization in AWS Organizations for its AWS accounts.AWS CloudTrail is enabled in all AWS Regions. A security engineer must implement a solution to prevent CloudTrail from being disabled. Which solution will meetthis requirement?

Correct Answer: C. Create an SCP that includes an explicit Deny rule for the StopLogging action and the DeleteTrail action.Attach the SCP to the root ou.

Explanation

AWS Organizations使用服务控制策略(SCP)可在组织层级限制成员账户的权限。AWS文档指出,SCP通过显式拒绝特定API操作(如`cloudtrail:StopLogging`和`cloudtrail:DeleteTrail`),可有效阻止禁用或删除CloudTrail。选项C正确应用了SCP的Deny规则策略,附加到根OU则覆盖所有成员账户。选项A仅涉及日志完整性验证,选项B处理加密而非操作限制,选项D的IAM策略不影响管理账户或未授权的API调用。