Which action meets these requirements?
Create an IAM policy that prohibits changes to CloudTrail, and attach it to the root user.
Create a new trail in CloudTrail from within the developer accounts with the organization trails option enabled.
Create a service control policy (SCP) the prohibits changes to CloudTrail, and attach it the developer accounts.
Create a service-linked role for CloudTrail with a policy condition that allows changes only from an Amazon Resource Name (ARN) in the management account.
Explanations:
IAM policies cannot be attached to the root user directly in a way that would prevent modifications. The root user inherently has full permissions and can bypass any IAM policies applied to the account. Therefore, this option does not effectively secure CloudTrail configurations from being altered by developers.
While creating a new trail with the organization trails option enabled allows for centralized logging, it does not inherently prevent developers from making changes to that configuration. Developers could still modify or delete the trail created within their account, failing to meet the requirement of maintaining the mandatory configuration.
Service Control Policies (SCPs) can be used to manage permissions across AWS Organizations. By creating an SCP that explicitly prohibits changes to CloudTrail and attaching it to developer accounts, the architect can ensure that even if developers have root user access, they cannot alter the CloudTrail configurations. This meets the requirement of enforcing standard security controls.
A service-linked role for CloudTrail does not prevent the developer accounts from making changes to the CloudTrail configuration. The policy condition described would not be effective in restricting actions from the root user or other IAM users within those developer accounts, thus failing to ensure the mandatory configuration remains unchanged.