🔥 3-day streak
AWS Certified Security - Specialty23 / 157
Question 23 of 157

A financial services company uses AWS Control Tower to govern 40 member accounts across multiple OUs. The security team has a compliance requirement: developers must never be able to disable AWS CloudTrail logging in any account, and any account that has an S3 bucket without server-side encryption must be flagged for review (but not blocked). The team wants to implement both requirements using Control Tower guardrails with the least operational overhead. Which combination of guardrails should they apply?

Reviewed for accuracy · Report an issueNext question