A large company starts to use AWS organizations with the consolidated billing feature to manage its separate departments.
The AWS operation team has just created 3 OUs (organization units) with 2 AWS accounts each.
To be compliant with company-wide security policy, CloudTrail is required for all AWS accounts which is already been set up.
However, after some time, there are cases that users in certain OU have turned off the CloudTrail of their accounts.
What is the best way for the AWS operation team to prevent this from happening again?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - AAWS Organizations has provided two feature sets.
Consolidated billing - This feature set provides shared billing functionality but does not include the more advanced features of AWS Organizations.
All features - The complete feature set that is available to AWS Organizations.
It includes all the functionality of consolidated billing and advanced features that give you more control over your organization's accounts.
For example, when all features are enabled, the master account of the organization has full control over what member accounts can do.
The master account can apply SCPs to restrict the services and actions that users (including the root user) and roles in an account can access.
It can prevent member accounts from leaving the organization.
In this case, we should use “All features”
One thing to note is that the feature sets can be upgraded in flight.
It does not need to delete/recreate the AWS Organizations.
Option A is CORRECT: Because SCP is suitable for limiting actions that AWS accounts in an Organization can do.
Below is an example of a deny policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "cloudtrail:StopLogging",
"Resource": "*"
}
]
}
Option B is incorrect: Because it does not need to delete/recreate the AWS Organizations to upgrade feature sets.
Option C is incorrect: Because although it can potentially work, it has lots of repeatable work and is not straightforward if compared with.
Option A.Option D is incorrect: Because it does not mention the upgrade of feature sets.
Secondly, the allow policy is incorrect as this case only requires limiting CloudTrail deletion.
Allow policy implicitly prevents everything except for several allow items.
Option A is the best solution for preventing users from turning off CloudTrail in their AWS accounts.
Here's why:
Update the AWS Organizations feature sets to “All features” - This will enable the use of Service Control Policies (SCP), which are a powerful tool for managing permissions and access across AWS accounts within an organization. By enabling all features, the organization will have access to a broader range of policy options for managing its accounts.
Create a Service Control Policy (SCP) - SCPs enable organizations to establish granular controls over the actions that can be taken in their AWS accounts. In this case, the organization can create an SCP that denies users from disabling CloudTrail logging in their accounts. This can be achieved by adding a "deny" policy statement that explicitly denies the cloudtrail:StopLogging action.
Apply the SCP to the relevant OUs - Once the SCP is created, it can be applied to the OUs where users have been turning off CloudTrail logging. This will ensure that any future attempts to disable CloudTrail logging in those accounts will be denied.
Monitor compliance - The AWS operation team should regularly monitor compliance with the SCP to ensure that users are not attempting to disable CloudTrail logging in their accounts. This can be done by reviewing CloudTrail logs and setting up alerts for any suspicious activity.
Option B is not the best solution because it involves deleting and recreating the AWS Organizations with "All features" enabled. This can be a time-consuming and disruptive process, and may not be necessary if the organization only needs to enable a specific SCP.
Option C is not the best solution because it involves creating an IAM policy for each AWS account, which can be difficult to manage and enforce across a large number of accounts. Additionally, this approach does not take advantage of the SCP feature provided by AWS Organizations.
Option D is not the best solution because it suggests using an "allow" policy to deny the cloudtrail:StopLogging action. This is not a recommended approach because "allow" policies can be difficult to manage and can lead to unintended consequences if not configured correctly. Additionally, it is generally better to use "deny" policies to explicitly prohibit certain actions, rather than relying on "allow" policies to implicitly grant access.