Question #1004
A company is managing multiple AWS accounts under an AWS Organizations structure. They need to ensure that AWS CloudTrail is enabled across all existing and future member accounts with minimal ongoing administration. Which solution provides the MOST operational efficiency?
Develop an AWS Lambda function that triggers upon the creation of a new AWS account via Amazon EventBridge. The function will create a CloudTrail trail in the new account and configure logging to a central S3 bucket.
Create a single CloudTrail trail in the organization's management account configured to log events across all member accounts in the organization.
Use AWS Service Control Policies (SCPs) to enforce the creation of a CloudTrail trail in every account. Attach the SCP to the root organizational unit (OU) to ensure compliance.
Implement an AWS Step Functions workflow that periodically checks for new accounts and deploys CloudTrail trails using AWS CloudFormation StackSets.
Explanation
Answer B is correct because AWS CloudTrail's organization trail feature allows the management account to create a single trail that automatically applies to all current and future member accounts in the organization. This eliminates the need for manual configuration, scripts, or policies to enforce compliance. The trail logs events across all accounts and centralizes logs in an S3 bucket specified by the management account.
Other options are less efficient:
- A requires custom Lambda code and EventBridge rules, adding complexity and maintenance.
- C uses SCPs, which cannot create trails; they only enforce policies if trails exist.
- D relies on periodic checks and StackSets, introducing delays and operational overhead.
Key points:
1. AWS Organizations allows centralized CloudTrail organization trails.
2. Organization trails automatically propagate to all member accounts.
3. Built-in AWS features minimize administrative effort compared to custom solutions.
Answer
The correct answer is: B