Topic 1 Question 39

AWS Certified Security - Specialty

Topic 1 Question 39
A company manages multiple AWS accounts using AWS Organizations. The company’s security team notices that some member accounts are not sending AWS CloudTrail logs to a centralized Amazon S3 logging bucket. The security team wants to ensure there is at least one trail configured for all existing accounts and for any account that is created in the future. Which set of actions should the security team implement to accomplish this?
- Create a new trail and configure it to send CloudTrail logs to Amazon S3. Use Amazon EventBridge to send notification if a trail is deleted or stopped.
- Deploy an AWS Lambda function in every account to check if there is an existing trail and create a new trail, if needed.
- Edit the existing trail in the Organizations management account and apply it to the organization.
- Create an SCP to deny the cloudtrail:Delete* and cloudtrail:Stop* actions. Apply the SCP to all accounts.
ユーザの投票
コメント(3)
- 正解だと思う選択肢: C
  Answer C https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html
  
  👍 8
  100fold2024/04/19
- 正解だと思う選択肢: C
  Only C mention the use of management account. By editing an existing trail in their account, and apply it to an organization, an organization trail is ready to log events for the management account and all member accounts in the organization. This do away with the need to manually create and monitor trail in every accounts.
  
  👍 3
  Daniel762024/06/01
- 正解だと思う選択肢: C
  OrganizationTrail
  
  👍 1
  Raphaello2024/08/08
シャッフルモード

ユーザの投票

コメント(3)