What is the FASTEST way to create a custom 1AM policy for the EC2 instance to meet this requirement?

By:
On:
In: DVA-C01
Tagged:
With: 0 Comments
A development team has been using a builder server that is hosted on an Amazon EC2 instance to perform builds and deployments for the last 3 months.TheEC2 instance’s instance profile uses an IAM role that contains the Administrator Access managed policy.The development team must replace that policy with a policy that provides only the required permissions.

What is the FASTEST way to create a custom 1AM policy for the EC2 instance to meet this requirement?

Create a new IAM policy based on services that the build server deployed or updated in the last 3 months.

Create a new IAM policy that includes all actions that AWS CloudTrail recorded for the IAM role in the last 3 months.

Create a new permissions boundary policy that denies all access. Associate the permissions boundaries with the IAM role.

Create a new IAM policy by using Amazon Athena to query an Amazon S3 bucket that contains AWS CloudTrail events that the IAM role performed in the last 3 months.

Explanations:

Creating a policy based on the services used in the last 3 months may not cover all the necessary permissions or may miss certain actions.

Creating a policy based on the actions AWS CloudTrail recorded for the IAM role in the last 3 months ensures the policy has only the necessary permissions.

Permissions boundaries restrict permissions but don’t help in defining the exact permissions required for the IAM role, which is needed here.

Using Amazon Athena to query CloudTrail logs to generate an IAM policy is inefficient and unnecessarily complex compared to using CloudTrail directly.

Leave a Reply

Your email address will not be published. Required fields are marked *

four × five =