A large company starts to use AWS organizations with the consolidated billing feature to manage its separate departments. The AWS operation team has just created 3 OUs (organization units) with 2 AWS accounts each. To be compliant with company-wide security policy, CloudTrail is required for all AWS accounts which is already been set up. However, after some time, there are cases that users in certain OU have turned off the CloudTrail of their accounts. What is the best way for the AWS operation team to prevent this from happening again?

Answer options:

A.Update the AWS Organizations feature sets to “All features” and then create a Service Control Policies (SCP) to Prevent Users from Disabling AWS CloudTrail. This can be achieved by a deny policy with cloudtrail:StopLogging denied.
B.This can be achieved by Service Control Policies (SCP) in the “All features” set. The team needs to delete and recreate the AWS Organizations with “All features” enabled and then use a proper control policy to limit the operation of cloudtrail:StopLogging.
C.In each AWS account in this organization, create an IAM policy to deny cloudtrail:StopLogging for all users including administrators.
D.Use Service Control Policies (SCP) to prevent users from disabling AWS CloudTrail. This can be done by a allow policy that denies cloudtrail:StopLogging.

Correct Answer – AAWS Organizations has provided two feature sets.
Consolidated billing – This feature set provides shared billing functionality but does not include the more advanced features of AWS Organizations.
All features – The complete feature set that is available to AWS Organizations. It includes all the functionality of consolidated billing and advanced features that give you more control over your organization`s accounts. For example, when all features are enabled, the master account of the organization has full control over what member accounts can do. The master account can apply SCPs to restrict the services and actions that users (including the root user) and roles in an account can access. It can prevent member accounts from leaving the organization.
In this case, we should use “All features”. One thing to note is that the feature sets can be upgraded in flight. It does not need to delete/recreate the AWS Organizations.
Option A is CORRECT: Because SCP is suitable for limiting actions that AWS accounts in an Organization can do. Below is an example of a deny policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "cloudtrail:StopLogging",
"Resource": "*"
}
]
}
Option B is incorrect: Because it does not need to delete/recreate the AWS Organizations to upgrade feature sets.
Option C is incorrect: Because although it can potentially work, it has lots of repeatable work and is not straightforward if compared with
Option A.Option D is incorrect: Because it does not mention the upgrade of feature sets. Secondly, the allow policy is incorrect as this case only requires limiting CloudTrail deletion. Allow policy implicitly prevents everything except for several allow items.