Which solution will meet these requirements?
Add the AWS::EC2::FlowLog resource to the CloudFormation stack that creates the VPCs.
Create an organization in AWS Organizations. Add the company’s AWS account to the organization. Create an SCP to prevent users from modifying VPC flow logs.
Turn on AWS Config. Create an AWS Config rule to check whether VPC flow logs are turned on. Configure automatic remediation to turn on VPC flow logs.
Create an IAM policy to deny the use of API calls for VPC flow logs. Attach the IAM policy to all IAM users.
Explanations:
Adding the AWS::EC2::FlowLog resource to the CloudFormation stack ensures flow logs are configured only for VPCs created through that specific stack. It does not apply to all VPCs, including those created by other IAM users or methods outside the CloudFormation stack.
Creating an organization and using an SCP to prevent modifications to flow logs is not the best approach to enforce that flow logs remain configured. SCPs can restrict permissions, but they don’t directly enable or configure VPC flow logs.
AWS Config can be used to monitor whether VPC flow logs are enabled and can automatically remediate any VPCs without flow logs, ensuring compliance across all VPCs in the account. This solution works for all VPCs, including those created by any IAM user.
Creating an IAM policy to deny the use of API calls for VPC flow logs would prevent users from configuring flow logs, but it would not ensure that flow logs are enabled by default for new VPCs. This would be restrictive and not proactive in ensuring flow logs are created.