What should a solutions architect do to accomplish this?
Monitor using AWS CloudTrail.
Create an AWS Config rule to run daily.
Publish IAM user changes to Amazon SNS.
Run AWS Lambda when a user is modified.
Explanations:
AWS CloudTrail records API calls made on the account, which can provide a history of changes, but it does not provide a direct way to identify users with attached policies at a specific point in time. It is more suitable for auditing rather than compliance monitoring.
Creating an AWS Config rule to run daily allows for continuous compliance checks against the standard. This rule can specifically check for IAM policies attached directly to users and flag any violations, making it a proactive approach to identify non-compliance efficiently.
Publishing IAM user changes to Amazon SNS can notify about changes but does not actively monitor or identify users with attached policies. This option lacks the necessary automation and continuous compliance checking needed to enforce the standard.
Running an AWS Lambda function when a user is modified could identify changes but would not provide a comprehensive view of all users with attached policies at any given time. It would require additional logic and does not offer a systematic approach to monitor compliance continuously.
As I understand it, the answer is:
Create an AWS Config rule to run daily.