AWS Certified Security – Specialty — Question 44

A Security Engineer has been asked to create an automated process to disable IAM user access keys that are more than three months old.
Which of the following options should the Security Engineer use?

Answer options

• A. In the AWS Console, choose the IAM service and select ג€Usersג€. Review the ג€Access Key Ageג€ column.
• B. Define an IAM policy that denies access if the key age is more than three months and apply to all users.
• C. Write a script that uses the GenerateCredentialReport, GetCredentialReport, and UpdateAccessKey APIs.
• D. Create an Amazon CloudWatch alarm to detect aged access keys and use an AWS Lambda function to disable the keys older than 90 days.

Correct answer: C

Explanation

The correct answer is C because writing a script that leverages the GenerateCredentialReport, GetCredentialReport, and UpdateAccessKey APIs allows for automated checking and disabling of old access keys. Option A requires manual review, which does not automate the process, while option B only restricts access rather than disabling the keys. Option D, while a good approach, is more complex and indirect than simply using the APIs for direct management.