How can the security engineers meet these requirements?

By:
In: SCS-C01
Tagged:
With: 1 Comment
A company plans to create individual child accounts within an existing organization in AWS Organizations for each of its DevOps teams.AWS CloudTrail has been enabled and configured on all accounts to write audit logs to an Amazon S3 bucket in a centralized AWS account.A security engineer needs to ensure thatDevOps team members are unable to modify or disable this configuration.

How can the security engineers meet these requirements?

Create an IAM policy that prohibits changes to the specific CloudTrail trail and apply the policy to the AWS account root user.

Create an S3 bucket policy in the specified destination account for the CloudTrail trail that prohibits configuration changes from the AWS account root user in the source account.

Create an SCP that prohibits changes to the specific CloudTrail trail and apply the SCP to the appropriate organizational unit or account in Organizations.

Create an IAM policy that prohibits changes to the specific CloudTrail trail and apply to a new IAM group. Have team members use individual IAM accounts that are members of the new IAM group.

Explanations:

Applying an IAM policy to the root user is not a best practice, as the root user should have minimal permissions. Furthermore, the root user cannot be restricted from modifying AWS services like CloudTrail, making this option ineffective.

While an S3 bucket policy can restrict access to the bucket, it cannot prevent the modification or disabling of the CloudTrail trail itself. This option does not address the core requirement of protecting the CloudTrail configuration from changes.

Service Control Policies (SCPs) in AWS Organizations can restrict actions for accounts within the organization. By creating an SCP that prohibits changes to the specific CloudTrail trail and applying it to the relevant organizational unit or account, the security engineer can ensure that DevOps team members cannot modify or disable the CloudTrail configuration effectively.

While creating an IAM policy for a new IAM group can restrict team members’ permissions, it may not fully prevent all users in the group from altering the CloudTrail configuration. IAM policies alone do not cover the root user or other administrative roles that may have permission to change CloudTrail settings.

2025-10-09

1 Comment

  1. Samantha
    Author

    I surmise that the answer is:
    Create an SCP that prohibits changes to the specific CloudTrail trail and apply the SCP to the appropriate organizational unit or account in Organizations.

Leave a Reply

Your email address will not be published. Required fields are marked *

20 − five =