ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam
Go to Exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 251 discussion

Exam question from Amazon's AWS Certified Security - Specialty SCS-C02
Question #: 251
Topic #: 1
[All AWS Certified Security - Specialty SCS-C02 Questions]

A company has configured an organization in AWS Organizations for its AWS accounts. AWS CloudTrail is enabled in all AWS Regions.

A security engineer must implement a solution to prevent CloudTrail from being disabled.

Which solution will meet this requirement?

  • A. Enable CloudTrail log file integrity validation from the organization’s management account.
  • B. Enable server-side encryption with AWS KMS keys (SSE-KMS) for CloudTrail logs. Create a KMS key. Attach a policy to the key to prevent decryption of the logs.
  • C. Create an SCP that includes an explicit Deny rule for the StopLogging action and the DeleteTrail action. Attach the SCP to the root OU.
  • D. Create IAM policies for all the company’s users to prevent the users from performing the DescribeTrails action and the GetTrailStatus action.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by IPLogic at Dec. 5, 2024, 9:52 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
AWSLoverLoverLoverLoverLover
2 months ago
Selected Answer: C
AWS Organizations allows Service Control Policies (SCPs) to restrict actions across all accounts in an organization or organizational units (OUs). An SCP with an explicit Deny for the StopLogging and DeleteTrail actions will prevent CloudTrail from being stopped or deleted, ensuring continuous logging. SCPs override any IAM permissions in the member accounts, making this the best and most effective solution.
upvoted 1 times
...
IPLogic
4 months, 3 weeks ago
Selected Answer: C
Service Control Policies (SCPs): These are powerful tools within AWS Organizations that allow you to enforce organization-wide controls over AWS resources and APIs. Explicit Deny Rule: By explicitly denying the StopLogging and DeleteTrail actions, you ensure that no account within the organization can disable CloudTrail or delete the trails, thus maintaining compliance and continuous logging. Root OU: Attaching the SCP to the root Organizational Unit ensures that the policy applies to all accounts within the organization, providing comprehensive coverage.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago