Which solution will meet these requirements?

By:
On:
In: SCS-C01
Tagged:
With: 0 Comments
A security engineer for a company wants to maintain all IAM users and roles according to the principle of least privilege.The security engineer plans to audit the IAM permissions once every 365 days.The security engineer must view the permissions that each IAM identity used in the last 365 days and must remove any unused permissions.

Which solution will meet these requirements?

Use AWS CloudTrail logs to review IAM identity actions and to remove unused permissions.

Use AWS Config to review configuration changes by each IAM identity and to remove unused permissions.

Use AWS Identity and Access Management Access Analyzer to review last accessed information and to remove unused permissions.

Use AWS Trusted Advisor to check the IAM identities that have elevated permissions and to remove unused permissions.

Explanations:

AWS CloudTrail logs provide details on API calls made, but they don’t directly show the last accessed permissions for IAM identities. CloudTrail is more useful for auditing actions, not for reviewing unused IAM permissions.

AWS Config tracks configuration changes to AWS resources but does not focus specifically on tracking the usage or access history of IAM permissions. It is not suitable for auditing IAM identity permissions for least privilege.

AWS IAM Access Analyzer provides detailed reports on when IAM identities last accessed specific permissions. It is designed to identify unused permissions based on actual access activity, helping to enforce least privilege.

AWS Trusted Advisor provides best practices for security, including checks on IAM permissions, but it does not specifically show when IAM identities last accessed permissions. It is not suitable for tracking unused permissions.

Leave a Reply

Your email address will not be published. Required fields are marked *

19 − 2 =