Which solution will meet these requirements with the LEAST amount of effort?
Deploy an AWS Config managed rule to run on a periodic basis of 24 hours. Select the access-keys-rotated managed rule, and set the maxAccessKeyAge parameter to 90 days. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with an event pattern that matches the compliance type of NON_COMPLIANT from AWS Config for the managed rule. Configure EventBridge (CloudWatch Events) to send an Amazon Simple Notification Service (Amazon SNS) notification to the security team.
Create a script to export a .csv file from the AWS Trusted Advisor check for IAM access key rotation. Load the script into an AWS Lambda function that will upload the .csv file to an Amazon S3 bucket. Create an Amazon Athena table query that runs when the .csv file is uploaded to the S3 bucket. Publish the results for any keys older than 90 days by using an invocation of an Amazon Simple Notification Service (Amazon SNS) notification to the security team.
Create a script to download the IAM credentials report on a periodic basis. Load the script into an AWS Lambda function that will run on a schedule through Amazon EventBridge (Amazon CloudWatch Events). Configure the Lambda script to load the report into memory and to filter the report for records in which the key was last rotated at least 90 days ago. If any records are detected, send an Amazon Simple Notification Service (Amazon SNS) notification to the security team.
Create an AWS Lambda function that queries the IAM API to list all the users. Iterate through the users by using the ListAccessKeys operation. Verify that the value in the CreateDate field is not at least 90 days old. Send an Amazon Simple Notification Service (Amazon SNS) notification to the security team if the value is at least 90 days old. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to schedule the Lambda function to run each day.
Explanations:
This option utilizes AWS Config, which is designed for compliance and monitoring. The managed rule for access key rotation simplifies setup, and using Amazon EventBridge to trigger notifications based on compliance status ensures that notifications are sent automatically when keys are non-compliant, all with minimal effort and configuration.
While this option can provide the required information, it involves multiple manual steps: exporting data from AWS Trusted Advisor, processing the data, and then querying it with Amazon Athena. This solution is more complex and requires maintaining a script and Athena queries, leading to higher operational overhead.
This option also involves scripting and manual processes. Downloading the IAM credentials report periodically and filtering it in a Lambda function adds complexity. Additionally, this requires handling report formats and data extraction, making it less efficient than utilizing AWS Config directly.
This solution involves creating a custom Lambda function that queries the IAM API and iterates through users and access keys. While it could achieve the desired outcome, it requires more effort in development and maintenance compared to leveraging existing AWS services like AWS Config, making it less optimal for the requirement of minimal effort.
I weigh that the answer is:
Deploy an AWS Config managed rule to run on a periodic basis of 24 hours. Select the access-keys-rotated managed rule, and set the maxAccessKeyAge parameter to 90 days. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with an event pattern that matches the compliance type of NON_COMPLIANT from AWS Config for the managed rule. Configure EventBridge (CloudWatch Events) to send an Amazon Simple Notification Service (Amazon SNS) notification to the security team.