Which solution is MOST secure?
At the organization’s root, define and attach a service control policy (SCP) that permits enabling CloudTrail only.
Create IAM groups in the organization’s management account as needed. Define and attach an IAM policy to the groups that prevents users from disabling CloudTrail.
Organize accounts into organizational units (OUs). At the organization’s root, define and attach a service control policy (SCP) that prevents users from disabling CloudTrail.
Add all existing accounts under the organization’s root. Define and attach a service control policy (SCP) to every account that prevents users from disabling CloudTrail.
Explanations:
While this option allows enabling CloudTrail, it does not prevent users from disabling it after it has been enabled, thus not ensuring the security requirement for continuous auditing.
Creating IAM groups and policies can help restrict actions at the user level, but it does not enforce a consistent organization-wide policy. Users with appropriate permissions could still disable CloudTrail, undermining the auditing requirement.
This option effectively prevents users from disabling CloudTrail by applying a service control policy (SCP) at the organizational level, ensuring that all accounts under the OU are protected regardless of individual user permissions.
This option requires applying an SCP to every account individually, which is less efficient and harder to manage. Moreover, it does not provide a proactive approach for future accounts, as new accounts would not automatically inherit the policy without manual intervention.