Your organization has hundreds of developers using AWS accounts. Based on the organization policy, when a developer joins the company, a new AWS account is created for that user and added to the AWS Organisation for development and testing purposes.

Answer options:

A.Implement Service Control Policies to whitelist or blacklist different AWS services depending on the user role.
B.Use the CloudWatch Events to track the user activities.
C.Enable CloudTrail in the user accounts to track and log user activities, and redirect the logs to the organization-wise S3 bucket for processing.
D.Run AWS Lambda on individual user accounts to check for malicious activities.
E.Assign IAM policies to only allow certain activities.

Correct Answers: A, B, C, and E
Option A is CORRECT because the SCP or Service Control Policies can be used to allow/deny different AWS services depending on the requirement.
Option B is CORRECT because the CloudWatch Events can be tracked based on CloudTrail API calls. This can be the starting point for collecting the information from the user accounts. For example, some CloudWatch Events can be triggered for an EC2 instance has been launched. However, this alone will not work, and some form of analysis will require to run on these events.
Option C is CORRECT because the CloudTrail logs can be aggregated to the central S3 bucket and analyzed there. 
Option D is INCORRECT because this will not be an effective and scalable solution. There will be thousands of events, and it may not make any sense to process each of them for malicious activities.
Option E is CORRECT because Users and roles must still be granted permissions with appropriate IAM permission policies. A user without any IAM permission policies has no access at all, even if the applicable SCPs allow all services and all actions.