AWS Certified Solutions Architect – Associate (SAA-C02) — Question 437

A security team needs to enforce the rotation of all IAM users' access keys every 90 days. If an access key is found to be older, the key must be made inactive and removed. A solutions architect must create a solution that will check for and remediate any keys older than 90 days.
Which solution meets these requirements with the LEAST operational effort?

Answer options

• A. Create an AWS Config rule to check for the key age. Configure the AWS Config rule to run an AWS Batch job to remove the key.
• B. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to check for the key age. Configure the rule to run an AWS Batch job to remove the key.
• C. Create an AWS Config rule to check for the key age. Define an Amazon EventBridge (Amazon CloudWatch Events) rule to schedule an AWS Lambda function to remove the key.
• D. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to check for the key age. Define an EventBridge (CloudWatch Events) rule to run an AWS Batch job to remove the key.

Correct answer: C

Explanation

AWS Config provides a managed rule to check if IAM access keys are older than a specified number of days. When a non-compliant key is detected, AWS Config can trigger an Amazon EventBridge rule to execute an AWS Lambda function for automated remediation. This serverless approach requires significantly less operational effort than configuring and managing AWS Batch jobs.