🔥 3-day streak
AWS Certified Security - Specialty143 / 184
Question 143 of 184
A security governance team manages an AWS Organization with 200 accounts across multiple OUs. They centrally deploy GuardDuty, Config, and CloudTrail using delegated administrator accounts. Recently, a developer with local administrator privileges in a workload account disabled GuardDuty and stopped the account's CloudTrail trail to reduce noise. The team wants to prevent ANY member account principal — including account administrators — from disabling these security services, while still allowing the delegated security administrator account to manage them centrally. Which approach best enforces this at scale?
Reviewed for accuracy · Report an issueNext question