🔥 3-day streak
AWS Certified Security - Specialty120 / 157
Question 120 of 157

A security team manages a 200-account AWS Organization. They centrally enable GuardDuty, AWS Config, and CloudTrail in every account through delegated administration. Recently, an application team's IAM administrator in a member account stopped their local CloudTrail trail and disabled AWS Config recorders to reduce noise, creating a compliance gap. The security team wants to guarantee that no principal in any member account — including account administrators — can disable or delete these foundational security services, while still allowing normal application development. What is the MOST effective way to enforce this organization-wide?

Reviewed for accuracy · Report an issueNext question