An engineering firm is using AWS Organizations for managing a large number of accounts created in multiple regions.
Some critical files were recently deleted from an Amazon S3 bucket in a member account that the security team cannot track.
To avoid such issues in the future, Security Head wants you to configure AWS CloudTrail for all member accounts within AWS Organizations. Which of the following steps needs to be followed to meet this requirement?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - A.
While creating Trails from the console for member accounts in an AWS Organizations, the Amazon S3 bucket is listed only for a master account and not for member accounts.
For member accounts, the ARN of this resource can be used to configure Trails.
Also, for member accounts, no additional cross-account access is required.
Option B is incorrect as while creating CloudTrail for member accounts within AWS Organizations, no additional cross-account access is required to be provided.
Options C & D are incorrect as the console Amazon S3 bucket is listed only for Master accounts.
For Member accounts resources, ARN needs to be specified.
For more information creating trails for AWS Organisation, refer to the following URL-
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.htmlTo configure AWS CloudTrail for all member accounts within AWS Organizations, you can follow the steps given below:
Create a Trail in the AWS CloudTrail console: You can create a trail in the AWS CloudTrail console by selecting the 'Trails' option in the left navigation pane and then clicking on the 'Create trail' button.
Select the member accounts: While creating the trail, you can select the member accounts for which you want to enable CloudTrail. You can either select specific member accounts or all member accounts within the organization.
Configure the trail settings: After selecting the member accounts, you need to configure the trail settings, such as the S3 bucket where the CloudTrail logs will be stored and the log file prefix.
Enable cross-account logging: To enable CloudTrail logging for member accounts, you need to enable cross-account logging. You can either do this by adding the ARN of the S3 bucket in the member account to the bucket policy of the central logging account or by using a resource-based policy to grant permissions to the logging account to write logs to the S3 bucket.
Based on the above steps, option B seems to be the correct answer. Option A is incorrect as it does not mention cross-account access. Option C is incorrect as it mentions manually configuring cross-account access, which is not required as AWS Organizations simplifies the process of enabling cross-account access. Option D is incorrect as it does not mention cross-account access.