A company has configured an organization in AWS Organizations for its AWS accounts.

AWS CloudTrail is a foundational security service that records API activity and account events. According to the AWS Certified Security – Specialty Official Study Guide,the only way to centrally and reliably prevent CloudTrail from being disabled across multiple AWS accounts is by using AWS Organizations service control policies (SCPs).

SCPs define themaximum available permissionsfor all accounts in an organization or organizational unit. By creating an SCP with an explicitDenyfor the cloudtrail:StopLogging and cloudtrail:DeleteTrail actions and attaching it to theroot OU, the security engineer ensures thatno principal in any member account—including administrators—can stop or delete CloudTrail trails. Explicit denies in SCPs cannot be overridden by IAM permissions.

Option A is incorrect because log file integrity validation only detects tampering after logs are delivered and does not prevent CloudTrail from being disabled. Option B protects log data at rest but does not prevent trail deletion or logging suspension. Option D removes read-only permissions and does not affect the ability to stop or delete CloudTrail.

AWS documentation explicitly states thatSCPs are the recommended mechanism to enforce mandatory security controls such as CloudTrail logging across an organization, making this the correct and most secure solution.

AWS Certified Security – Specialty Official Study Guide

AWS Organizations SCP Documentation

AWS CloudTrail Security Best Practices