You are a compliance officer at a large life sciences company utilizing numerous AWS accounts across multiple development teams.
The AWS accounts are managed under an AWS Organization.
In order to ensure HIPAA compliance, you must ensure that the log file delivery of AWS CloudTrail is not suspended by any AWS account.
What is the most efficient way to accomplish this task?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: C.
Option A is incorrect because AWS Config only periodically checks if the rule is true.
It applies only to one account.
Option B is incorrect because it checks if CloudTrail is turned on in all regions of a single account.
It cannot check all the AWS accounts.
Option C is CORRECT because the SCP policy can apply to all the accounts in the AWS Organization.
The action to suspend the CloudTrail logging is denied.
Option D is incorrect because State Manager is used for the management of EC2
It cannot be used to check the CloudTrail state.
Reference:
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.htmlThe correct answer is C. Create an SCP with a deny rule on action "cloudtrail:StopLogging" and apply the SCP to the related OUs.
Explanation:
To ensure that the log file delivery of AWS CloudTrail is not suspended by any AWS account, we need to prevent any user from stopping the CloudTrail logging in the AWS accounts. Therefore, the most efficient way to accomplish this task is to create a Service Control Policy (SCP) with a deny rule on the action "cloudtrail:StopLogging" and apply the SCP to the relevant AWS Organization Units (OUs).
AWS Organizations is a service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage. AWS Organizations allows us to apply policies to multiple accounts at once, simplifying the task of managing multiple accounts.
An SCP is a policy that defines the maximum permissions for all the accounts in an organization, or for a specific OU in the organization. By creating an SCP, we can restrict the permissions of the member accounts in the AWS Organization.
In this case, we need to create an SCP with a deny rule on the action "cloudtrail:StopLogging" which will restrict any user from stopping the CloudTrail logging in the AWS accounts. By applying this SCP to the related OUs, we ensure that CloudTrail logging cannot be suspended in any of the AWS accounts.
Option A: Use AWS Config CLOUD_TRAIL_ENABLED rule to ensure CloudTrail is turned on. This option is incorrect because it only verifies if CloudTrail is turned on, but it does not ensure that it cannot be turned off.
Option B: Use --is-multi-region-trail CloudTrail flag to specify that the CloudTrail will log events in all AWS Regions. This option is incorrect because it does not prevent CloudTrail from being turned off in any of the AWS accounts.
Option D: Use AWS Systems Manager State Manager to ensure that CloudTrail is turned on. This option is incorrect because it only verifies if CloudTrail is turned on, but it does not ensure that it cannot be turned off.
In summary, to ensure that the log file delivery of AWS CloudTrail is not suspended by any AWS account, the most efficient way is to create an SCP with a deny rule on the action "cloudtrail:StopLogging" and apply the SCP to the related OUs.