You are a compliance officer at a large life sciences company utilizing numerous AWS accounts across multiple development teams. The AWS accounts are managed under an AWS Organization. In order to ensure HIPAA compliance, you must ensure that the log file delivery of AWS CloudTrail is not suspended by any AWS account. What is the most efficient way to accomplish this task?

Answer options:

A.Use AWS Config CLOUD_TRAIL_ENABLED rule to ensure CloudTrail is turned on.
B.Use --is-multi-region-trail CloudTrail flag to specify that the CloudTrail will log events in all AWS Regions.
C.Create an SCP with a deny rule on action "cloudtrail:StopLogging" and apply the SCP to the related OUs.
D.Use AWS Systems Manager State Manager to ensure that CloudTrail is turned on.

Answer: C
Option A is incorrect because AWS Config only periodically checks if the rule is true. It applies only to one account.
Option B is incorrect because it checks if CloudTrail is turned on in all regions of a single account. It cannot check all the AWS accounts.
Option C is CORRECT because the SCP policy can apply to all the accounts in the AWS Organization. The action to suspend the CloudTrail logging is denied.
Option D is incorrect because State Manager is used for the management of EC2. It cannot be used to check the CloudTrail state.
Reference:
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html