Which solution meets these requirements with the LEAST operational effort?
Create an AWS Config rule to check for the key age. Configure the AWS Config rule to run an AWS Batch job to remove the key.
Create an Amazon EventBridge (Amazon CloudWatch Events) rule to check for the key age. Configure the rule to run an AWS Batch job to remove the key.
Create an AWS Config rule to check for the key age. Define an Amazon EventBridge (Amazon CloudWatch Events) rule to schedule an AWS Lambda function to remove the key.
Create an Amazon EventBridge (Amazon CloudWatch Events) rule to check for the key age. Define an EventBridge (CloudWatch Events) rule to run an AWS Batch job to remove the key.
Explanations:
While AWS Config can check for key age, using AWS Batch to remediate the keys adds unnecessary complexity and operational effort. AWS Batch is not the ideal service for this task, as it is typically used for batch processing rather than managing IAM keys.
Amazon EventBridge can be used to trigger events based on specific conditions; however, it is not designed to directly check the age of IAM keys. Additionally, using AWS Batch for remediation adds operational overhead.
AWS Config is designed to assess compliance and can check for the age of IAM access keys. By integrating it with an EventBridge rule to invoke an AWS Lambda function, it automates the remediation process of making older keys inactive and removing them, requiring minimal operational effort.
Similar to option B, EventBridge does not directly check key age. Using AWS Batch for this task introduces unnecessary complexity, making this option less efficient than using a Lambda function triggered by an AWS Config rule.