ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 414 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 414
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company is using AWS Organizations to create OUs for its accounts. The company has more than 20 accounts that are all part of the OUs. A security engineer must implement a solution to ensure that no account can stop log file delivery to AWS CloudTrail.

Which solution will meet this requirement?

  • A. Use the --is-multi-region-trail option while running the create-trail command to ensure that logs are configured across all AWS Regions.
  • B. Create an SCP that includes a Deny rule for the cloudtrail:StopLogging action. Apply the SCP to all accounts in the OUs.
  • C. Create an SCP that includes an Allow rule for the cloudtrail:StopLogging action. Apply the SCP to all accounts in the OUs.
  • D. Use AWS Systems Manager to ensure that CloudTrail is always turned on.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by AdamWest at Nov. 23, 2022, 2:21 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
AdamWest
Highly Voted 2 years, 9 months ago
Selected Answer: B
B - Actual syntax would be: "Action": [ "cloudtrail:StopLogging", "cloudtrail:DeleteTrail" ], "Resource": "*", "Effect": "Deny"
upvoted 6 times
...
kejam
Most Recent 1 year, 9 months ago
Selected Answer: B
https://aws.amazon.com/blogs/industries/best-practices-for-aws-organizations-service-control-policies-in-a-multi-account-environment/
upvoted 1 times
...
AzureDP900
2 years, 5 months ago
B is right
upvoted 3 times
...
must_be_rohit
2 years, 7 months ago
Selected Answer: B
When its OU and policy need to be across all accounts... SCP is the correct option
upvoted 3 times
...
kerar
2 years, 8 months ago
Selected Answer: B
This SCP prevents users or roles in any affected account from disabling a CloudTrail log, either directly as a command or through the console. https://asecure.cloud/a/scp_cloudtrail/
upvoted 3 times
...
D2
2 years, 8 months ago
It's B
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel