Which action meets these requirements?

September 16, 2021 by Admin

A solutions architect is designing a security solution for a company that wants to provide developers with individual AWS accounts through AWS Organizations, while also maintaining standard security controls. Because the individual developers will have AWS account root user-level access to their own accounts, the solutions architect wants to ensure that the mandatory AWS CloudTrail configuration that is applied to new developer accounts is not modified.

Which action meets these requirements?

  • Create an IAM policy that prohibits changes to CloudTrail, and attach it to the root user.
  • Create a new trail in CloudTrail from within the developer accounts with the organization trails option enabled.
  • Create a service control policy (SCP) the prohibits changes to CloudTrail, and attach it the developer accounts.
  • Create a service-linked role for CloudTrail with a policy condition that allows changes only from an Amazon Resource Name (ARN) in the master account.

Leave a Reply