Which of the following options should the Security Engineer use?
In the AWS Console, choose the IAM service and select ג€Usersג€. Review the ג€Access Key Ageג€ column.
Define an IAM policy that denies access if the key age is more than three months and apply to all users.
Write a script that uses the GenerateCredentialReport, GetCredentialReport, and UpdateAccessKey APIs.
Create an Amazon CloudWatch alarm to detect aged access keys and use an AWS Lambda function to disable the keys older than 90 days.
Explanations:
Manually reviewing the IAM console for access key age is not automated and does not meet the requirement for an automated process.
An IAM policy that denies access based on key age cannot be applied directly to enforce disabling of keys; policies cannot dynamically evaluate key age for actions such as disabling.
Writing a script that utilizes the GenerateCredentialReport, GetCredentialReport, and UpdateAccessKey APIs allows for an automated process to retrieve access key information and disable keys that are older than three months.
While using CloudWatch alarms and a Lambda function could potentially automate the process, it does not directly disable keys based on age. A simpler and more direct approach would be to use the APIs as mentioned in option C.
I measure that the answer is:
Write a script that uses the GenerateCredentialReport, GetCredentialReport, and UpdateAccessKey APIs.