How to Restrict IAM Users from Disabling CloudTrail in AWS Accounts
Question
Your company owns a large number of AWS accounts managed by AWS Organizations.
To meet security compliance, the CloudTrail should always be enabled in all AWS accounts.
However, during the last couple of weeks, it was noticed that IAM users in certain AWS accounts disabled the CloudTrail feature.
You need to add a restriction rule to prevent such actions.
What is the best way to achieve that?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: C.
Option A is incorrect because this would be an inefficient method of adding inline permissions to a single IAM user and certainly is not the best way to achieve the task.
Option B is incorrect because this would be inefficient to add and manage deny permissions for all the IAM users.
A company can have 1 to 1000 IAM users at a time.
Option C is CORRECT: Because an SCP can be configured in organizational units (OUs) and provide central control over the maximum available permissions for all accounts in the organization.
Refer to the policy below.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "cloudtrail:StopLogging",
"Resource": "*"
}
]
}
Option D is incorrect because it is time-consuming to maintain each IAM user and it is also possible for an IAM user to modify the permission boundary unexpectedly.
A general guide of how SCP is used can be found in.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html.For more information on different types of SCP use cases, kindly refer to the below URL:
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_example-scps.html.The best way to prevent IAM users from disabling CloudTrail is to use a Service Control Policy (SCP) that denies the CloudTrail StopLogging action. An SCP is a type of policy that can be applied to an entire AWS Organization or a specific Organizational Unit (OU) within an Organization.
Option A: Configuring an inline IAM policy to deny the CloudTrail StopLogging action for each IAM user is not a scalable solution, as it requires manual configuration for each user. Additionally, new IAM users would need to be manually updated with the policy.
Option B: Creating an IAM policy to deny CloudTrail StopLogging action and adding the policy to each IAM user is also not a scalable solution. This option requires manual configuration for each IAM user, and new IAM users would need to be manually updated with the policy.
Option D: Adding a permission boundary for each IAM user to disallow the CloudTrail StopLogging action is also not the best solution. A permission boundary is a feature that sets the maximum permissions that an IAM entity can have. It is intended to be used for granting permissions, not restricting them. Additionally, new IAM users would need to be manually updated with the boundary.
Option C is the correct answer:
To implement the solution using SCPs, you would first need to create an SCP that denies the CloudTrail StopLogging action. Next, you would need to apply the SCP to the relevant Organizational Units (OUs) within your AWS Organization. Once the SCP is in place, any IAM user in the affected OUs will be unable to disable the CloudTrail feature.
In summary, the best solution to prevent IAM users from disabling CloudTrail is to use an SCP that denies the CloudTrail StopLogging action and apply it to the relevant OUs in your AWS Organization. This solution is scalable and ensures that any new IAM users added to the affected OUs are automatically subject to the policy.
