Which set of actions should the security team implement to accomplish this?
Create a new trail and configure it to send CloudTrail logs to Amazon S3. Use Amazon EventBridge (Amazon CloudWatch Events) to send notification if a trail is deleted or stopped.
Deploy an AWS Lambda function in every account to check if there is an existing trail and create a new trail, if needed.
Edit the existing trail in the Organizations master account and apply it to the organization.
Create an SCP to deny the cloudtrail:Delete* and cloudtrail:Stop* actions. Apply the SCP to all accounts.
Explanations:
Creating a new trail and using EventBridge for notifications would not ensure that trails are configured for all existing and future accounts. It only addresses deletion or stopping of the trail but does not guarantee that a trail is set up in every account.
Deploying a Lambda function in every account to check and create a trail would require ongoing maintenance and complex management. It’s not an automated way to ensure compliance across all accounts within the organization.
Editing the existing trail in the Organizations master account and applying it to the organization ensures that all existing and new accounts within the organization have a trail configured, fulfilling the security team’s requirements.
While denyingcloudtrail:Delete*andcloudtrail:Stop*actions would prevent trails from being deleted or stopped, it does not ensure that a trail is configured in every account, nor does it guarantee a trail is created for future accounts.