AWS CloudTrail organization trails are specifically designed to provide centralized, organization-wide logging with minimal operational effort. According to the AWS Certified Security – Specialty Official Study Guide, an organization trail records all management events for all member accounts and delivers them to a single Amazon S3 bucket.

To ensure that logs cannot be altered or deleted, Amazon S3 Object Lock in compliance mode must be used. Compliance mode enforces write-once-read-many (WORM) protection, meaning no user, including the root user, can delete or modify objects before the retention period expires. This directly satisfies the requirement that no changes or deletions are allowed for 2 years.

The S3 bucket must reside in the dedicated security account to provide isolation and strong security boundaries. Granting write permissions to the organization’s management account (Option A) aligns with AWS best practices, because the management account owns and manages the organization trail and centrally delivers logs on behalf of all member accounts.

Option B increases attack surface by allowing all member accounts to write directly. Option C does not meet immutability requirements because lifecycle policies do not prevent deletion. Option E introduces unnecessary services and operational complexity.

AWS documentation explicitly identifies the combination of CloudTrail organization trails + S3 Object Lock (compliance mode) as the recommended, lowest-overhead solution for long-term, immutable audit log retention.

AWS Certified Security – Specialty Official Study Guide

AWS CloudTrail Organization Trail Documentation

Amazon S3 Object Lock Documentation

AWS Well-Architected Framework – Security Pillar