Your company owns a large number of AWS accounts managed by AWS Organizations. To meet security compliance, the CloudTrail should always be enabled in all AWS accounts. However, during the last couple of weeks, it was noticed that IAM users in certain AWS accounts disabled the CloudTrail feature. You need to add a restriction rule to prevent such actions. What is the best way to achieve that?

Answer options:

A.For each IAM user, configure an inline IAM policy to deny the CloudTrail StopLogging action.
B.Create an IAM policy to deny CloudTrail StopLogging action. Add the policy to each IAM user.
C.Configure a Service Control Policy (SCP) to deny the CloudTrail StopLogging action and add the policy to the relevant OUs in the organization.
D.For each IAM user, add a permission boundary to disallow the CloudTrail StopLogging action.

Answer: C
Option A is incorrect because this would be an inefficient method of adding inline permissions to a single IAM user and certainly is not the best way to achieve the task.
Option B is incorrect because this would be inefficient to add and manage deny permissions for all the IAM users. A company can have 1 to 1000 IAM users at a time.
Option C is CORRECT: Because an SCP can be configured in organizational units (OUs) and provide central control over the maximum available permissions for all accounts in the organization. Refer to the policy below
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "cloudtrail:StopLogging",
"Resource": "*"
}
]
}
Option D is incorrect because it is time-consuming to maintain each IAM user and it is also possible for an IAM user to modify the permission boundary unexpectedly. 
A general guide of how SCP is used can be found in
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html.
For more information on different types of SCP use cases, kindly refer to the below URL:
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_example-scps.html.