Which solution will meet this requirement?

By:
On:
In: SCS-C01
Tagged:
With: 0 Comments
A company is using AWS Organizations to create OUs for its accounts.The company has more than 20 accounts that are all part of the OUs.A security engineer must implement a solution to ensure that no account can stop log file delivery to AWS CloudTrail.

Which solution will meet this requirement?

Use the –is-multi-region-trail option while running the create-trail command to ensure that logs are configured across all AWS Regions.

Create an SCP that includes a Deny rule for the cloudtrail:StopLogging action. Apply the SCP to all accounts in the OUs.

Create an SCP that includes an Allow rule for the cloudtrail:StopLogging action. Apply the SCP to all accounts in the OUs.

Use AWS Systems Manager to ensure that CloudTrail is always turned on.

Explanations:

The –is-multi-region-trail option only ensures that logs are delivered across all regions but does not prevent stopping of log delivery.

SCPs (Service Control Policies) can be used to enforce restrictions across accounts. Denying the cloudtrailaction ensures no account can stop log delivery to CloudTrail.

Allowing the cloudtrailaction would permit accounts to stop log delivery, which contradicts the requirement.

While Systems Manager can automate configuration, it does not offer a direct way to enforce that CloudTrail logs cannot be stopped. SCPs are the correct tool.

Leave a Reply

Your email address will not be published. Required fields are marked *

4 × two =