AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 307

A company has multiple AWS accounts in an organization in AWS Organizations that has all features enabled. The company’s DevOps administrator needs to improve security across all the company's AWS accounts. The administrator needs to identify the top users and roles in use across all accounts.

Which solution will meet these requirements with the MOST operational efficiency?

Answer options

• A. Create a new organization trail in AWS CloudTrail. Configure the trail to send log events to Amazon CloudWatch Logs. Create a CloudWatch Contributor Insights rule for the userIdentity.arn log field. View the results in CloudWatch Contributor Insights.
• B. Create an unused access analysis for the organization by using AWS Identity and Access Management Access Analyzer. Review the analyzer results and determine if each finding has the intended level of permissions required for the workload.
• C. Create a new organization trail in AWS CloudTrail. Create a table in Amazon Athena that uses partition projection. Load the Athena table with CloudTrail data. Query the Athena table to find the top users and roles.
• D. Generate a Service access report for each account by using Organizations. From the results, pull the last accessed date and last accessed by account fields to find the top users and roles.

Correct answer: A

Explanation

CloudWatch Contributor Insights is designed to analyze log data in real-time and identify top contributors, making it highly efficient to track the most active IAM users and roles via the userIdentity.arn field in AWS CloudTrail logs. While Amazon Athena can query CloudTrail data, it requires manual query execution and is less operationally efficient than the automated analysis provided by Contributor Insights. AWS Identity and Access Management Access Analyzer and Service access reports do not easily aggregate top active users across an entire organization without significant manual overhead.