Which solution will meet these requirements with the LEAST administrative overhead?
Use Network Access Analyzer to review all access permissions in the company’s AWS accounts.
Create an AWS CloudWatch alarm that activates when an IAM user creates or modifies resources in an AWS account.
Use AWS Identity and Access Management (IAM) Access Analyzer to review all the company’s resources and accounts.
Use Amazon Inspector to find vulnerabilities in existing IAM policies.
Explanations:
Network Access Analyzer focuses on network configurations and permissions related to VPC resources, not IAM user permissions. It does not provide insights into IAM policies or user access levels.
Creating a CloudWatch alarm for IAM user actions does not review or analyze permissions; it merely tracks activity. This approach does not help in identifying excessive permissions or compliance issues.
IAM Access Analyzer helps identify resources shared with external entities and reviews permissions granted to IAM users. It can provide insights into over-permissioned IAM users with minimal administrative effort.
Amazon Inspector is designed to assess security vulnerabilities in applications and configurations, not specifically to analyze IAM policies or permissions granted to users.