How can the security engineers meet these requirements?
Create an IAM policy that prohibits changes to the specific CloudTrail trail and apply the policy to the AWS account root user.
Create an S3 bucket policy in the specified destination account for the CloudTrail trail that prohibits configuration changes from the AWS account root user in the source account.
Create an SCP that prohibits changes to the specific CloudTrail trail and apply the SCP to the appropriate organizational unit or account in Organizations.
Create an IAM policy that prohibits changes to the specific CloudTrail trail and apply to a new IAM group. Have team members use individual IAM accounts that are members of the new IAM group.
Explanations:
Applying an IAM policy to the root user is not a best practice, as the root user should have minimal permissions. Furthermore, the root user cannot be restricted from modifying AWS services like CloudTrail, making this option ineffective.
While an S3 bucket policy can restrict access to the bucket, it cannot prevent the modification or disabling of the CloudTrail trail itself. This option does not address the core requirement of protecting the CloudTrail configuration from changes.
Service Control Policies (SCPs) in AWS Organizations can restrict actions for accounts within the organization. By creating an SCP that prohibits changes to the specific CloudTrail trail and applying it to the relevant organizational unit or account, the security engineer can ensure that DevOps team members cannot modify or disable the CloudTrail configuration effectively.
While creating an IAM policy for a new IAM group can restrict team members’ permissions, it may not fully prevent all users in the group from altering the CloudTrail configuration. IAM policies alone do not cover the root user or other administrative roles that may have permission to change CloudTrail settings.