AWS DevOps Engineer Professional Practice Test

What is the best way to ensure CloudTrail is enabled across multiple accounts?

• A. Create individual CloudTrail configurations for each account
• B. Use CloudFormation StackSets for deployment
• C. Utilize AWS Organizations for configuration
• D. Compile reports to audit configurations

The correct answer is: Use CloudFormation StackSets for deployment

Using CloudFormation StackSets for deployment is the best way to ensure CloudTrail is enabled across multiple accounts due to its inherent ability to manage deployments across accounts and regions in a consistent and automated manner. With StackSets, you can create, update, or delete stacks across multiple accounts with a single operation. This means that you can deploy the same CloudTrail configuration to all accounts simultaneously, ensuring uniformity in your logging policies. CloudFormation StackSets simplifies the governance process by allowing you to define the CloudTrail setup in a single CloudFormation template. This template can include all necessary configurations for CloudTrail, and then StackSets facilitates the rollout of this setup across the specified accounts, whether they are part of an organization in AWS Organizations or separate accounts. While it might be feasible to create individual CloudTrail configurations for each account, this method lacks the efficiency and scalability that StackSets provides, especially as the number of accounts increases. Using AWS Organizations for configuration can help manage accounts but does not inherently ensure that CloudTrail is enabled. Compiling reports to audit configurations is a reactive measure and does not ensure proactive enabling of CloudTrail; it simply validates whether it is set up correctly after the fact. In summary, CloudFormation StackSets enables a centralized and repeatable deployment