A company plans to create individual child accounts within an existing organization in AWS Organizations for each of its DevOps teams. AWS CloudTrail has been enabled and configured on all accounts to write audit logs to an Amazon S3 bucket in a centralized AWS account. A security engineer needs to ensure that DevOps team members are unable to modify or disable this configuration.
How can the security engineer meet these requirements?
To ensure that DevOps team members cannot modify or disable the CloudTrail configuration, the most effective approach is to use a Service Control Policy (SCP). SCPs are used in AWS Organizations to enforce policies across all accounts within the organization or within specific organizational units. By creating an SCP that prohibits changes to the CloudTrail trail and applying it to the appropriate organizational unit or account, you ensure that these restrictions are enforced organization-wide, regardless of the permissions granted within individual accounts. This provides centralized control and ensures consistency in policy enforcement across all accounts.
Correct answer is C. Use SCP to deny changes to the specific trail, apply the policy to designated OU or accounts.
C sounds good
For sure it should be 'D'.
typo: 'C'.
correct
C is correct.
SCPs in AWS Organizations are used to set fine-grained permissions and restrictions on AWS accounts within an organization. They operate at the root level or organizational unit level. the security engineer can enforce a policy at the organizational level, ensuring that no accounts under the specified organizational unit can make modifications or disable the CloudTrail configuration.While IAM policies and S3 bucket policies can control access to resources, they are typically more focused on granting permissions rather than restricting actions on CloudTrail trails globally across the organization. Option C, using an SCP, provides centralized control and is well-suited for enforcing organization-wide policies. It ensures that even if DevOps team members have administrative permissions in their individual accounts, they won't be able to modify or disable the specified CloudTrail trail due to the SCP restrictions.
why not D?