An engineering firm is using AWS Organizations for managing a large number of accounts created in multiple regions. Some critical files were recently deleted from an Amazon S3 bucket in a member account that the security team cannot track. To avoid such issues in the future, Security Head wants you to configure AWS CloudTrail for all member accounts within AWS Organizations.
 Which of the following steps needs to be followed to meet this requirement?

Answer options:

A.Create Trails in the console by adding ARNs of Amazon S3 bucket in member account without additional cross-account access.
B.Create Trails in the console by adding ARNs of Amazon S3 bucket in member account & manually configure cross-account access to these resources.
C.Create Trails in the console by selecting the listed Amazon S3 bucket of member accounts & manually configure cross-account access to these resources.
D.Create Trails in the console by selecting the listed Amazon S3 bucket of member accounts without additional cross-account access.

Correct Answer – A
While creating Trails from the console for member accounts in an AWS Organizations, the Amazon S3 bucket is listed only for a master account and not for member accounts. For member accounts, the ARN of this resource can be used to configure Trails. Also, for member accounts, no additional cross-account access is required.
Option B is incorrect as while creating CloudTrail for member accounts within AWS Organizations, no additional cross-account access is required to be provided.
Options C & D are incorrect as the console Amazon S3 bucket is listed only for Master accounts. For Member accounts resources, ARN needs to be specified.
 For more information creating trails for AWS Organisation, refer to the following URL-
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html