AWS Certified Security – Specialty — Question 439

A company uses AWS Organizations to manage 20 AWS accounts. The company has a new requirement to enforce IAM access key rotation every 90 days. Currently, the company uses the access keys to connect to Amazon EC2 instances. The company uses the organization's management account to manage the IAM users of all the accounts.

A security administrator needs to develop a solution for the key rotation.

Which solution will meet these requirements?

Answer options

• A. Add an automatic remediation option to an AWS Config rule for access key rotation. Create an AWS Systems Manager Automation runbook. Use AWS CloudFormation StackSets to deploy the runbook. Activate the AWS Config rule. Link the runbook as the automatic remediation step.
• B. Add an automatic remediation option to an AWS Config rule for access key rotation. Create an AWS Systems Manager Automation runbook. Use AWS CloudFormation change sets to deploy the runbook. Activate the AWS Config rule. Link the runbook as the automatic remediation step.
• C. Add an automatic remediation option to an AWS Systems Manager rule for access key rotation. Create a Systems Manager Automation runbook. Use AWS CloudFormation StackSets to deploy the runbook. Activate the Systems Manager rule. Link the runbook as the automatic remediation step.
• D. Add an automatic remediation option to an AWS Systems Manager rule for access key rotation. Create a Systems Manager Automation runbook. Use AWS CloudFormation change sets to deploy the runbook. Invoke an AWS Lambda function to link the runbook as the automatic remediation step.

Correct answer: A

Explanation

AWS Config is the correct service for evaluating compliance and triggering automated remediation via AWS Systems Manager Automation runbooks, whereas Systems Manager rules are not used for this purpose. To deploy the remediation runbook across multiple AWS accounts within AWS Organizations, AWS CloudFormation StackSets is the appropriate tool, as CloudFormation change sets are only used to preview changes within a single stack. Therefore, combining AWS Config rules with StackSets and Systems Manager Automation provides the complete multi-account solution.