How can the SysOps administrator create a policy to meet this requirement?

By:
In: SOA-C02
Tagged:
With: 1 Comment
A company’s application currently uses an IAM role that allows all access to all AWS services.A SysOps administrator must ensure that the company’s IAM policies allow only the permissions that the application requires.

How can the SysOps administrator create a policy to meet this requirement?

Turn on AWS CloudTrail. Generate a policy by using AWS Security Hub.

Turn on Amazon EventBridge (Amazon CloudWatch Events). Generate a policy by using AWS Identity and Access Management Access Analyzer.

Use the AWS CLI to run the get-generated-policy command in AWS Identity and Access Management Access Analyzer.

Turn on AWS CloudTrail. Generate a policy by using AWS Identity and Access Management Access Analyzer.

Explanations:

AWS CloudTrail records API activity but does not generate IAM policies directly. AWS Security Hub is for security compliance and does not generate IAM policies.

Amazon EventBridge (CloudWatch Events) is used for event-driven architectures, not for generating IAM policies. AWS Identity and Access Management Access Analyzer does not use EventBridge for policy generation.

The AWS CLI command “get-generated-policy” does not exist in AWS IAM Access Analyzer. IAM Access Analyzer can generate policies, but not through this command.

AWS CloudTrail can log API activity, and AWS IAM Access Analyzer can analyze the logs to generate a policy that grants only the required permissions based on actual usage.

2025-10-14

1 Comment

  1. Matthew
    Author

    I judge that the answer is:
    Turn on AWS CloudTrail. Generate a policy by using AWS Identity and Access Management Access Analyzer.

Leave a Reply to Matthew Cancel reply

Your email address will not be published. Required fields are marked *

11 − four =