You maintain an AWS Organization that contains several Organizational Units (OUs). Each OU has multiple AWS accounts. You want to create a central CloudTrail to record events in all the accounts within the Organization. The new trail must be enabled for all regions and logged in a single centralized S3 bucket.
How would you configure the CloudTrail for the Organization?

Answer options:

A.Use an IAM role in the master account to create a new trail. Configure the trail to apply to all the child accounts within the organization.
B.Use an IAM user in each account to create a trail. In the master account, create an organizational trail to include all the trails created in the child accounts.
C.Login in the AWS console using any account within the Organization. Create a new trail in the CloudTrail service. Select all Organizational Units to add to the trail.
D.Use an IAM user in the master account to create a new trail. Configure the trail to apply to the AWS Organization. 

Answer: D
Option A is incorrect because you only need to apply the trail to the Organization instead of all child account.
Option B is incorrect because you do not need to create a trail in each account and manage it. A central trail is enough to work for the organization and enables logging for all AWS accounts under the OU.
Option C is incorrect because only a user or role in the master account can create. A normal IAM user would not be able to do so.
Option D is CORRECT because you can specify to apply CloudTrail to your organization. This is an efficient way of enabling CloudTrail in all regions for all your accounts under the Organization Unit (OU).
Reference:
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-an-organizational-trail-in-the-console.html