Topic 1 Question 251
A company has configured an organization in AWS Organizations for its AWS accounts. AWS CloudTrail is enabled in all AWS Regions.
A security engineer must implement a solution to prevent CloudTrail from being disabled.
Which solution will meet this requirement?
Enable CloudTrail log file integrity validation from the organization’s management account.
Enable server-side encryption with AWS KMS keys (SSE-KMS) for CloudTrail logs. Create a KMS key. Attach a policy to the key to prevent decryption of the logs.
Create an SCP that includes an explicit Deny rule for the StopLogging action and the DeleteTrail action. Attach the SCP to the root OU.
Create IAM policies for all the company’s users to prevent the users from performing the DescribeTrails action and the GetTrailStatus action.
ユーザの投票
コメント(2)
- 正解だと思う選択肢: C
Service Control Policies (SCPs): These are powerful tools within AWS Organizations that allow you to enforce organization-wide controls over AWS resources and APIs.
Explicit Deny Rule: By explicitly denying the StopLogging and DeleteTrail actions, you ensure that no account within the organization can disable CloudTrail or delete the trails, thus maintaining compliance and continuous logging.
Root OU: Attaching the SCP to the root Organizational Unit ensures that the policy applies to all accounts within the organization, providing comprehensive coverage.
👍 1IPLogic2024/12/05 - 正解だと思う選択肢: C
AWS Organizations allows Service Control Policies (SCPs) to restrict actions across all accounts in an organization or organizational units (OUs). An SCP with an explicit Deny for the StopLogging and DeleteTrail actions will prevent CloudTrail from being stopped or deleted, ensuring continuous logging. SCPs override any IAM permissions in the member accounts, making this the best and most effective solution.
👍 1AWSLoverLoverLoverLoverLover2025/02/20
シャッフルモード