You maintain an AWS Organization that contains several Organizational Units (OUs)
Each OU has multiple AWS accounts.
You want to create a central CloudTrail to record events in all the accounts within the Organization.
The new trail must be enabled for all regions and logged in a single centralized S3 bucket. How would you configure the CloudTrail for the Organization?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: D.
Option A is incorrect because you only need to apply the trail to the Organization instead of all child account.
Option B is incorrect because you do not need to create a trail in each account and manage it.
A central trail is enough to work for the organization and enables logging for all AWS accounts under the OU.
Option C is incorrect because only a user or role in the master account can create.
A normal IAM user would not be able to do so.
Option D is CORRECT because you can specify to apply CloudTrail to your organization.
This is an efficient way of enabling CloudTrail in all regions for all your accounts under the Organization Unit (OU).
Reference:
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-an-organizational-trail-in-the-console.htmlThe correct answer for configuring a central CloudTrail to record events in all accounts within an AWS Organization is A. Use an IAM role in the master account to create a new trail. Configure the trail to apply to all the child accounts within the organization.
Here is a more detailed explanation:
CloudTrail is a service in AWS that logs all API activity within an account. It can be used for auditing, compliance, and security purposes. In an AWS Organization, where multiple accounts are managed, it is essential to have a centralized CloudTrail that can record events from all the accounts.
To create a central CloudTrail in an AWS Organization, the following steps can be taken:
Create an IAM role in the master account of the organization that has permissions to create and manage trails in all the child accounts.
Configure the CloudTrail service in the master account to apply to all the child accounts within the organization.
Specify the S3 bucket in which the CloudTrail logs should be stored.
Enable CloudTrail for all regions.
Choose the types of events that should be logged, such as management events or data events.
By creating a centralized CloudTrail using an IAM role in the master account, it becomes easier to manage and monitor logs across all accounts in the organization. Additionally, having a single S3 bucket to store logs reduces the risk of data loss and makes it easier to analyze logs.
Option B is not the best approach since it requires creating multiple trails in each account and then creating an organizational trail in the master account to include all the child account trails.
Option C is incorrect since it requires creating a trail in each account separately, and it may become difficult to manage and monitor logs across all the accounts in the organization.
Option D is incorrect since it requires creating a trail using an IAM user, which is not the best practice for managing access and permissions in an AWS Organization. IAM roles should be used instead of IAM users whenever possible.