AWS Certified Developer – Associate — Question 413

A development team has been using a builder server that is hosted on an Amazon EC2 instance to perform builds and deployments for the last 3 months. The
EC2 instance's instance profile uses an IAM role that contains the Administrator Access managed policy. The development team must replace that policy with a policy that provides only the required permissions.
What is the FASTEST way to create a custom 1AM policy for the EC2 instance to meet this requirement?

Answer options

• A. Create a new IAM policy based on services that the build server deployed or updated in the last 3 months.
• B. Create a new IAM policy that includes all actions that AWS CloudTrail recorded for the IAM role in the last 3 months.
• C. Create a new permissions boundary policy that denies all access. Associate the permissions boundaries with the IAM role.
• D. Create a new IAM policy by using Amazon Athena to query an Amazon S3 bucket that contains AWS CloudTrail events that the IAM role performed in the last 3 months.

Correct answer: B

Explanation

Generating a policy based on the actual API actions recorded in AWS CloudTrail over the last 3 months is the fastest and most accurate way to define a least-privilege IAM policy. Option A is too broad because granting access to entire services rather than specific actions does not adhere to least privilege. Option C would block all functionality, while Option D is incorrect because manually querying logs with Amazon Athena is far more time-consuming than utilizing CloudTrail-based policy generation.