What is the MOST operationally efficient solution that meets these requirements?

By:
On:
In: SAP-C02
Tagged:
With: 0 Comments
A company is planning a migration from an on-premises data center to the AWS Cloud.The company plans to use multiple AWS accounts that are managed in an organization in AWS Organizations.The company will create a small number of accounts initially and will add accounts as needed.A solutions architect must design a solution that turns on AWS CloudTrail in all AWS accounts.

What is the MOST operationally efficient solution that meets these requirements?

Create an AWS Lambda function that creates a new CloudTrail trail in all AWS accounts in the organization. Invoke the Lambda function daily by using a scheduled action in Amazon EventBridge.

Create a new CloudTrail trail in the organization’s management account. Configure the trail to log all events for all AWS accounts in the organization.

Create a new CloudTrail trail in all AWS accounts in the organization. Create new trails whenever a new account is created. Define an SCP that prevents deletion or modification of trails. Apply the SCP to the root OU.

Create an AWS Systems Manager Automation runbook that creates a CloudTrail trail in all AWS accounts in the organization. Invoke the automation by using Systems Manager State Manager.

Explanations:

While creating a Lambda function to automate the creation of CloudTrail trails could work, invoking it daily adds unnecessary complexity and operational overhead. It would not efficiently manage new accounts as they are created, requiring continual updates to the Lambda function or handling state management.

Creating a CloudTrail trail in the management account that logs events for all AWS accounts in the organization is the most operationally efficient solution. This allows centralized management and monitoring of all accounts without needing to create and manage individual trails, ensuring all events are captured across the organization efficiently.

While creating a trail in each account and preventing deletion or modification is a robust security measure, it requires ongoing management as new accounts are added, which increases operational overhead. This approach does not leverage centralized logging efficiently.

Using a Systems Manager Automation runbook is a valid approach but adds complexity and overhead compared to directly managing trails from the management account. Like option A, it requires running the automation whenever a new account is added, leading to more operational effort without significant benefits over option B.

Leave a Reply

Your email address will not be published. Required fields are marked *

5 × two =