Q151. A large company starts to use AWS organizations with consolidated billing feature to manage its separate departments. The AWS operation team has just
Created 3 OUs (organization units) with 2 AWS accounts each. To be compliant with company-wide security policy CloudTrail is required for all AWS accounts which is already been set up. However after some time there are cases that users in certain OU have turned off the CloudTrail of their accounts. What is the best way for the AWS operation team to prevent this from happening again?
A.Update the AWS Organizations feature sets to features?and then create a Service Control Policies (SCP) to Prevent Users from Disabling AWS CloudTrail. This can be achieved by a deny policy with cloudtrail:StopLogging denied. B.This can be achieved by Service Control Policies (SCP) in features?set. The team needs to delete and recreate the AWS Organizations with features?enabled and then use a proper control policy to limit the operation of cloudtrail:StopLogging. C.In each AWS account in this organization create an IAM policy to deny cloudtrail:StopLogging for all users including administrators. D.Use a Service Control Policies (SCP) to prevent users from disabling AWS CloudTrail. This can be done by a allow policy which denies cloudtrail:StopLogging正确答案A
