Which action meets these requirements?
Create an IAM policy that prohibits changes to CloudTrail. and attach it to the root user.
Create a new trail in CloudTrail from within the developer accounts with the organization trails option enabled.
Create a service control policy (SCP) that prohibits changes to CloudTrail, and attach it the developer accounts.
Create a service-linked role for CloudTrail with a policy condition that allows changes only from an Amazon Resource Name (ARN) in the management account.
Explanations:
An IAM policy attached to the root user would not be effective because root users have full permissions, including the ability to detach or modify policies. Thus, it cannot prevent changes to CloudTrail configurations.
Creating a new trail in developer accounts with organization trails enabled does not enforce the mandatory configuration. Developers could still change their individual trail settings, which does not meet the requirement of preventing modification of the mandatory configuration.
A service control policy (SCP) can be used to enforce permissions across accounts in AWS Organizations. By creating an SCP that explicitly prohibits changes to CloudTrail and applying it to developer accounts, it ensures that developers cannot modify the CloudTrail settings.
A service-linked role for CloudTrail does not restrict modifications to the CloudTrail settings. Even with a policy condition limiting changes to a specific ARN, developers with root access could still bypass this restriction by using their root account to modify CloudTrail, thus failing to meet the requirement.