What should the solutions architect do to meet this requirement with the LEAST amount of effort?

By:
On:
In: SAP-C01
Tagged:
With: 0 Comments
An external audit of a company’s serverless application reveals IAM policies that grant too many permissions.These policies are attached to the company’s AWS Lambda execution roles.Hundreds of the company’s Lambda functions have broad access permissions, such as full access to Amazon S3 buckets and Amazon DynamoDB tables.The company wants each function to have only the minimum permissions that the function needs to complete its task.A solutions architect must determine which permissions each Lambda function needs.

What should the solutions architect do to meet this requirement with the LEAST amount of effort?

Set up Amazon CodeGuru to profile the Lambda functions and search for AWS API calls. Create an inventory of the required API calls and resources for each Lambda function. Create new IAM access policies for each Lambda function. Review the new policies to ensure that they meet the company’s business requirements.

Turn on AWS CloudTrail logging for the AWS account. Use AWS Identity and Access Management Access Analyzer to generate IAM access policies based on the activity recorded in the CloudTrail log. Review the generated policies to ensure that they meet the company’s business requirements.

Turn on AWS CloudTrail logging for the AWS account. Create a script to parse the CloudTrail log, search for AWS API calls by Lambda execution role, and create a summary report. Review the report. Create IAM access policies that provide more restrictive permissions for each Lambda function.

Turn on AWS CloudTrail logging for the AWS account. Export the CloudTrail logs to Amazon S3. Use Amazon EMR to process the CloudTrail logs in Amazon S3 and produce a report of API calls and resources used by each execution role. Create a new IAM access policy for each role. Export the generated roles to an S3 bucket. Review the generated policies to ensure that they meet the company’s business requirements.

Explanations:

Amazon CodeGuru cannot profile AWS Lambda functions for permissions required. CodeGuru focuses on code quality and performance, not IAM permissions. Thus, this option does not provide a solution for determining the minimum permissions for Lambda.

AWS CloudTrail logs capture the Lambda function’s AWS API calls, and IAM Access Analyzer can use these logs to generate IAM policies with least privilege. This is the most efficient way to achieve the requirement with minimal effort.

Although parsing CloudTrail logs manually can produce a report of required permissions, writing a custom script to generate IAM policies is complex and requires more effort than IAM Access Analyzer, which can automate this process.

Using Amazon EMR to process CloudTrail logs is unnecessary and complex for this purpose. Access Analyzer already provides a streamlined way to analyze permissions based on CloudTrail data, making this option overly complex and less efficient.

Leave a Reply

Your email address will not be published. Required fields are marked *

5 × one =