Which solution will meet these requirements?
Turn on AWS Config in the AWS account. Deploy the lam-user-unused-credentials-check AWS Config managed rule Configure the rule to run periodically Configure AWS. Config automatic remediation to run the AWSConfigRemediation-RevokeUnusedlAMUserCredentials AWS Systems Manager Automation runbook.
Use AWS Identity and Access Management Access Analyzer to create an analyzer in the AWS account. Create an Amazon EventBridge rule to match IAM Access Analyzer events for IAM users that were last accessed more than 90 days ago. Configure the rule to run the AWSConfigRemediation-DetachlAMPolicy AWS Systems Manager Automation runbook to detach any policies that are attached to the IAM user.
Enable AWS Trusted Advisor in the AWS account. Use the AWS Developer Support plan to access the AWS Support API. Configure an Amazon EventBridge scheduled rule to use the Support API’s Trusted Advisor IAM Access Key Rotation check to discover IAM credentials that have not been accessed for more than 90 days. Configure another EventBridge rule to use the Trusted Advisor Check Item Refresh Status event type and to run the AWSConfigRemediation-RevokeUnusedlAMUserCredentials AWS Systems Manager Automation runbook.
Enable AWS Security Hub in the AWS account. Configure a Security Hub rule that determines when an IAM user was last accessed. Configure an Amazon EventBridge rule to match the Security Hub rule and to run the AWSConfigRemediation-RevokeUnusedlAMUserCredentials AWS Systems Manager Automation runbook.
Explanations:
AWS Config with theiam-user-unused-credentials-checkrule and automatic remediation using theAWSConfigRemediation-RevokeUnusedIAMUserCredentialsrunbook will effectively revoke access for IAM users who haven’t accessed the account in 90 days. This solution is designed to meet the requirements directly.
IAM Access Analyzer is used for analyzing resource access and permissions, not specifically for tracking the last access time of IAM users. The solution described doesn’t directly address the requirement to revoke access based on last access time.
AWS Trusted Advisor’s IAM Access Key Rotation check doesn’t track last access time of IAM users. Trusted Advisor is more focused on checking the best practices for IAM keys rather than user access time. Additionally, this option involves unnecessary complexity by relying on AWS Support API and multiple EventBridge rules.
AWS Security Hub does not track IAM user access times directly. While it helps in security posture management, it isn’t designed to revoke access based on inactivity, and no direct rule for IAM user access times is provided.