AWS CloudTrail organization trails are specifically designed to providecentralized, organization-wide loggingwith minimal operational effort. According to the AWS Certified Security – Specialty Official Study Guide, an organization trail recordsall management events for all member accountsand delivers them to asingle Amazon S3 bucket.
To ensure that logscannot be altered or deleted, Amazon S3Object Lock in compliance modemust be used. Compliance mode enforceswrite-once-read-many (WORM)protection, meaningno user, including the root user, can delete or modify objects before the retention period expires. This directly satisfies the requirement that no changes or deletions are allowed for 2 years.
The S3 bucket must reside in thededicated security accountto provide isolation and strong security boundaries. Granting write permissions to theorganization’s management account(Option A) aligns with AWS best practices, because the management account owns and manages the organization trail and centrally delivers logs on behalf of all member accounts.
Option B increases attack surface by allowing all member accounts to write directly. Option C does not meet immutability requirements because lifecycle policies do not prevent deletion. Option E introduces unnecessary services and operational complexity.
AWS documentation explicitly identifies the combination ofCloudTrail organization trails + S3 Object Lock (compliance mode)as therecommended, lowest-overhead solutionfor long-term, immutable audit log retention.
AWS Certified Security – Specialty Official Study Guide
AWS CloudTrail Organization Trail Documentation
Amazon S3 Object Lock Documentation
AWS Well-Architected Framework – Security Pillar
