AWS Certified Security – Specialty — Question 433

A security engineer for a company wants to maintain all IAM users and roles according to the principle of least privilege. The security engineer plans to audit the IAM permissions once every 365 days. The security engineer must view the permissions that each IAM identity used in the last 365 days and must remove any unused permissions.

Which solution will meet these requirements?

Answer options

• A. Use AWS CloudTrail logs to review IAM identity actions and to remove unused permissions.
• B. Use AWS Config to review configuration changes by each IAM identity and to remove unused permissions.
• C. Use AWS Identity and Access Management Access Analyzer to review last accessed information and to remove unused permissions.
• D. Use AWS Trusted Advisor to check the IAM identities that have elevated permissions and to remove unused permissions.

Correct answer: C

Explanation

AWS Identity and Access Management Access Analyzer provides last accessed information, allowing administrators to view which services and actions were used within the last 365 days to safely remove unused permissions. AWS CloudTrail logs record API calls but require complex manual analysis to determine unused permissions over a long duration. AWS Config and AWS Trusted Advisor do not track granular service-level permission usage over a 365-day period for the purpose of least-privilege refinement.