A company's Security team is using AWS Organizations with a consolidated billing account. The security team wants to ensure that all member accounts have AWS CloudTrail enabled and that logs are delivered to a central S3 bucket in the management account. Which combination of actions should the security team take? (Choose the best answer.)
SCP prevents disabling, StackSets deploy automatically.
Why this answer
Option C is correct because using an SCP to deny disabling CloudTrail and a CloudFormation StackSet to deploy CloudTrail in each account ensures enforcement and deployment. Option A is wrong because relying on individual account owners is not automated. Option B is wrong because enabling CloudTrail only in the management account does not cover member accounts.
Option D is wrong because Config rules do not prevent disabling of CloudTrail.