Which action meets these requirements?

Explanations:

IAM policies cannot be attached to the root user directly in a way that would prevent modifications. The root user inherently has full permissions and can bypass any IAM policies applied to the account. Therefore, this option does not effectively secure CloudTrail configurations from being altered by developers.

While creating a new trail with the organization trails option enabled allows for centralized logging, it does not inherently prevent developers from making changes to that configuration. Developers could still modify or delete the trail created within their account, failing to meet the requirement of maintaining the mandatory configuration.

Service Control Policies (SCPs) can be used to manage permissions across AWS Organizations. By creating an SCP that explicitly prohibits changes to CloudTrail and attaching it to developer accounts, the architect can ensure that even if developers have root user access, they cannot alter the CloudTrail configurations. This meets the requirement of enforcing standard security controls.

A service-linked role for CloudTrail does not prevent the developer accounts from making changes to the CloudTrail configuration. The policy condition described would not be effective in restricting actions from the root user or other IAM users within those developer accounts, thus failing to ensure the mandatory configuration remains unchanged.