SCS-C02 Question #104: Real Exam Question with Answer & Explanation

Question

A company plans to create individual child accounts within an existing organization in AWS Organizations for each of its DevOps teams. AWS CloudTrail has been enabled and configured on all accounts to write audit logs to an Amazon S3 bucket in a centralized AWS account. A security engineer needs to ensure that DevOps team members are unable to modify or disable this configuration. How can the security engineer meet these requirements?

Options

• ACreate an IAM policy that prohibits changes to the specific CloudTrail trail and apply the policy to
• BCreate an S3 bucket policy in the specified destination account for the CloudTrail trail that
• CCreate an SCP that prohibits changes to the specific CloudTrail trail and apply the SCP to the
• DCreate an IAM policy that prohibits changes to the specific CloudTrail trail and apply the policy to

Explanation

Service Control Policies (SCPs) in AWS Organizations apply at the organizational unit or account level and cannot be overridden by IAM administrators within member accounts, ensuring centralized enforcement.

Common mistakes.

• A. IAM policies in a child account can be modified or deleted by an administrator with sufficient permissions within that same account, so they do not provide tamper-proof protection.
• B. An S3 bucket policy in the destination account prevents tampering with the stored logs but does not prevent DevOps members from disabling or modifying the CloudTrail trail configuration itself in their own accounts.
• D. IAM policies applied at the group or user level within the DevOps accounts can still be modified by account administrators, providing no organizational-level enforcement.

Concept tested. AWS Organizations SCP for CloudTrail protection

Reference. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

No community discussion yet for this question.