How should the SysOps administrator implement this solution?
Create an AWS Step Functions workflow to identify IAM users that have not been active for 90 days. Run an AWS Lambda function when a scheduled Amazon EventBridge (Amazon CloudWatch Events) rule is invoked to automatically remove the AWS access keys and passwords for these IAM users.
Configure an AWS Config rule to identify IAM users that have not been active for 90 days. Set up an automatic weekly batch process on an Amazon EC2 instance to disable the AWS access keys and passwords for these IAM users.
Develop and run a Python script on an Amazon EC2 instance to programmatically identify IAM users that have not been active for 90 days. Automatically delete these IAM users.
Set up an AWS Config managed rule to identify IAM users that have not been active for 90 days. Set up an AWS Systems Manager automation runbook to disable the AWS access keys for these IAM users.
Explanations:
While AWS Step Functions and Lambda can be used for automation, it is not the most operationally efficient method. It requires setting up and maintaining a workflow and additional infrastructure for scheduling and managing the automation, making it less optimal compared to using AWS Config and Systems Manager.
This option involves setting up an EC2 instance to run a batch process for checking inactive IAM users and disabling their access keys and passwords. This method is less efficient because it requires managing an EC2 instance, which introduces operational overhead. Additionally, AWS Config managed rules are a more efficient solution.
Running a Python script on an EC2 instance adds unnecessary operational overhead. This method involves manually managing an EC2 instance and script execution, which is less efficient than using AWS Config and Systems Manager automation.
This option uses AWS Config to monitor IAM user activity and AWS Systems Manager automation to disable the keys, making it the most operationally efficient. AWS Config provides the necessary compliance monitoring, and Systems Manager runbooks allow for automation without the need for additional infrastructure. This solution is fully managed, reducing operational complexity.
I would say the answer is:
Set up an AWS Config managed rule to identify IAM users that have not been active for 90 days. Set up an AWS Systems Manager automation runbook to disable the AWS access keys for these IAM users.