AWS Certified Security – Specialty (SCS-C02) — Question 145

A company uses an organization in AWS Organizations to manage hundreds of AWS accounts. Some of the accounts provide access to external AWS principals through cross-account IAM roles and Amazon S3 bucket policies.

The company needs to identify which external principals have access to which accounts.

Which solution will provide this information?

Answer options

• A. Enable AWS Identity and Access Management Access Analyzer for the organization. Configure the organization as a zone of trust. Filter findings by AWS account ID.
• B. Create a custom AWS Config rule to monitor IAM roles in each account. Deploy an AWS Config aggregator to a central account. Filter findings by AWS account ID.
• C. Activate Amazon Inspector. Integrate Amazon Inspector with AWS Security Hub. Filter findings by AWS account ID for the IAM role resource type and the S3 bucket policy resource type.
• D. Configure the organization to use Amazon GuardDuty. Filter findings by AWS account ID for the Discovery:IAMUser/AnomalousBehavior finding type.

Correct answer: A

Explanation

The correct answer is A because enabling AWS Identity and Access Management Access Analyzer allows for the identification of external principals with access to resources across the organization, specifically by filtering findings based on AWS account ID. Options B, C, and D do not directly provide a comprehensive view of external access across multiple accounts, focusing instead on monitoring or detecting anomalous behavior without the same level of detail regarding external principals.