What should the solutions architect do to meet this requirement with the LEAST amount of effort?

By:
In: SAP-C02
Tagged:
With: 1 Comment
An external audit of a company’s serverless application reveals IAM policies that grant too many permissions.These policies are attached to the company’s AWS Lambda execution roles.Hundreds of the company’s Lambda functions have broad access permissions such as full access to Amazon S3 buckets and Amazon DynamoDB tables.The company wants each function to have only the minimum permissions that the function needs to complete its task.A solutions architect must determine which permissions each Lambda function needs.

What should the solutions architect do to meet this requirement with the LEAST amount of effort?

Set up Amazon CodeGuru to profile the Lambda functions and search for AWS API calls. Create an inventory of the required API calls and resources for each Lambda function. Create new IAM access policies for each Lambda function. Review the new policies to ensure that they meet the company’s business requirements.

Turn on AWS CloudTrail logging for the AWS account. Use AWS Identity and Access Management Access Analyzer to generate IAM access policies based on the activity recorded in the CloudTrail log. Review the generated policies to ensure that they meet the company’s business requirements.

Turn on AWS CloudTrail logging for the AWS account. Create a script to parse the CloudTrail log, search for AWS API calls by Lambda execution role, and create a summary report. Review the report. Create IAM access policies that provide more restrictive permissions for each Lambda function.

Turn on AWS CloudTrail logging for the AWS account. Export the CloudTrail logs to Amazon S3. Use Amazon EMR to process the CloudTrail logs in Amazon S3 and produce a report of API calls and resources used by each execution role. Create a new IAM access policy for each role. Export the generated roles to an S3 bucket. Review the generated policies to ensure that they meet the company’s business requirements.

Explanations:

Using Amazon CodeGuru may provide insights into API calls but does not offer a straightforward way to automate the generation of IAM policies based on actual usage. It requires more manual effort to create and review policies.

Turning on AWS CloudTrail and using IAM Access Analyzer allows for automated analysis of actual API usage to generate precise IAM policies with minimal manual intervention. This approach directly addresses the requirement for least effort.

While parsing CloudTrail logs can yield insights, creating a custom script adds complexity and requires additional effort in both development and maintenance, making it less efficient than using built-in AWS tools.

This option is too complex as it involves multiple steps, including exporting logs to S3 and processing them with EMR. It introduces unnecessary overhead compared to using CloudTrail and IAM Access Analyzer directly.

2025-10-17

1 Comment

  1. Richard
    Author

    I figure that the answer is:
    Turn on AWS CloudTrail logging for the AWS account. Use AWS Identity and Access Management Access Analyzer to generate IAM access policies based on the activity recorded in the CloudTrail log. Review the generated policies to ensure that they meet the company’s business requirements.

Leave a Reply

Your email address will not be published. Required fields are marked *

14 − six =