ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 273 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 273
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company plans to create individual child accounts within an existing organization in AWS Organizations for each of its DevOps teams. AWS CloudTrail has been enabled and configured on all accounts to write audit logs to an Amazon S3 bucket in a centralized AWS account. A security engineer needs to ensure that
DevOps team members are unable to modify or disable this configuration.
How can the security engineers meet these requirements?

  • A. Create an IAM policy that prohibits changes to the specific CloudTrail trail and apply the policy to the AWS account root user.
  • B. Create an S3 bucket policy in the specified destination account for the CloudTrail trail that prohibits configuration changes from the AWS account root user in the source account.
  • C. Create an SCP that prohibits changes to the specific CloudTrail trail and apply the SCP to the appropriate organizational unit or account in Organizations.
  • D. Create an IAM policy that prohibits changes to the specific CloudTrail trail and apply to a new IAM group. Have team members use individual IAM accounts that are members of the new IAM group.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by dumma at Aug. 26, 2021, 2:53 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
hk436
Highly Voted 3 years, 8 months ago
C is my answer.!
upvoted 13 times
...
kiev
Highly Voted 3 years, 8 months ago
C for me as well as we use SCP to prohibit actions in AWS Organsiation.
upvoted 9 times
...
Raphaello
Most Recent 1 year, 4 months ago
Selected Answer: C
SCP to prohibit even the most privileged IAM user in member accounts to make changes to CT trail. C is correct.
upvoted 1 times
...
ITGURU51
2 years, 2 months ago
AWS organizations = SCP answer C
upvoted 1 times
...
jishrajesh
2 years, 6 months ago
selected C
upvoted 1 times
...
Bosch123
2 years, 8 months ago
Selected Answer: D
Even if the accounts are in a Org, but from the question it looks like trail is in individual account instead of an org trail. with this I will go for option C as it restricts user to modify the trails.
upvoted 2 times
...
watoz1851
2 years, 10 months ago
Selected Answer: C
The requirement needs to restrict whole account members of Devops
upvoted 2 times
...
Rja148393
2 years, 11 months ago
Selected Answer: D
D - Although SCP seems interesting, the control level they want is at the devops team level. SCP will block all users
upvoted 1 times
...
TigerInTheCloud
3 years, 2 months ago
Selected Answer: C
C. Simple answer, much securer and easier than D. LaLune does make a little bit of sense, but the control of security is important. When it is needed for any change, the security engineer/admin can move the specific account out of the OU, or remove the SCP from the account.
upvoted 2 times
...
Malluchan
3 years, 2 months ago
Answer is D The key is " inside an existing organization in AWS Organizations" Answer C will apply to whole OU, So I will go with D
upvoted 1 times
...
ceros399
3 years, 3 months ago
Selected Answer: C
Ans = C
upvoted 2 times
...
mx677
3 years, 4 months ago
Selected Answer: C
SCP protect Cloudtrail trail
upvoted 2 times
...
lotfi50
3 years, 4 months ago
Selected Answer: C
answer is C
upvoted 2 times
...
Radhaghosh
3 years, 5 months ago
Answer is C
upvoted 1 times
...
LaLune
3 years, 5 months ago
The engineer does not want team members to change CloudTrail trail. May be someone else can do such a change (option would not allow that). That is why D is straight to the requirement! The answer is D.
upvoted 1 times
...
AkaAka4
3 years, 7 months ago
Why not D? Just asking. Thanks!
upvoted 1 times
Radhaghosh
3 years, 5 months ago
Only SCP can protect. Or else user with admin privilege can/will modify the IAM policy in the respective accounts
upvoted 1 times
...
...
fais1985
3 years, 8 months ago
Yes C looks fine , as i the Q they have mentioned AWS Organisation
upvoted 3 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel