A solutions architect is designing security controls for developer accounts created under AWS Organizations. Developers will have root user–level access to their own accounts, but the architect must ensure the mandatory AWS CloudTrail configuration applied to new developer accounts cannot be modified. Which action meets this requirement?
Choose an answer
Tap an option to check your answer.
Correct answer: Create a service control policy (SCP) that prohibits changes to CloudTrail, and attach it to the developer accounts..
Why this is the answer
A Service Control Policy (SCP) is the correct choice because it allows you to centrally manage permissions for all accounts in your AWS Organization. By creating an SCP that explicitly denies actions related to modifying CloudTrail configurations (e.g., cloudtrail:UpdateTrail, cloudtrail:DeleteTrail) and attaching it to the Organizational Unit (OU) containing the developer accounts, you ensure that even the root user in those accounts cannot bypass the policy. IAM policies attached to the root user are ineffective because the root user can always remove or modify their own attached policies. Creating a new trail within developer accounts with the organization trails option enabled doesn't prevent modification of the mandatory trail. Service-linked roles are for specific AWS services to assume permissions and don't provide the organization-wide, preventative control needed here.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed