How can this be accomplished?

By:
In: SOA-C01
Tagged:
With: 1 Comment
An organization has hired an external firm to audit unauthorized changes on the company’s AWS environment, the external auditor needs appropriate access.

How can this be accomplished?

Create an IAM user and assign them a new policy with GetResources access on AWS Artifact

Create an IAM user and add them to the existing ג€Administratorג€ IAM group

Create an IAM user and assign them a new IAM policy with read access to the AWS CloudTrail logs in Amazon S3

Create an IAM user and assign them a new policy with ListFindings access on Amazon Inspector

Explanations:

AWS Artifact provides access to compliance reports, not to auditing unauthorized changes. The necessary access to logs or activity history is not granted by this policy.

Assigning the auditor to the “Administrator” group would provide excessive permissions, potentially exposing sensitive resources beyond what is needed for auditing unauthorized changes.

Providing the auditor with read access to AWS CloudTrail logs in Amazon S3 is the correct way to monitor and audit changes in the AWS environment, as CloudTrail logs track all API activities including unauthorized changes.

Amazon Inspector is primarily used for security assessments and vulnerability management, not for auditing changes or tracking unauthorized activities in the AWS environment.

2025-10-02

1 Comment

  1. Alexander
    Author

    From what I’ve heard, the answer is:
    Create an IAM user and assign them a new IAM policy with read access to the AWS CloudTrail logs in Amazon S3

Leave a Reply

Your email address will not be published. Required fields are marked *

eight + seventeen =