AWS Certified Solutions Architect – Associate (SAA-C03) — Question 879

A company runs all its business applications in the AWS Cloud. The company uses AWS Organizations to manage multiple AWS accounts.

A solutions architect needs to review all permissions that are granted to IAM users to determine which IAM users have more permissions than required.

Which solution will meet these requirements with the LEAST administrative overhead?

Answer options

• A. Use Network Access Analyzer to review all access permissions in the company's AWS accounts.
• B. Create an AWS CloudWatch alarm that activates when an IAM user creates or modifies resources in an AWS account.
• C. Use AWS Identity and Access Management (IAM) Access Analyzer to review all the company’s resources and accounts.
• D. Use Amazon Inspector to find vulnerabilities in existing IAM policies.

Correct answer: C

Explanation

AWS Identity and Access Management (IAM) Access Analyzer can analyze permissions and identify unused or excessive permissions across accounts in AWS Organizations with minimal setup. Network Access Analyzer is designed for network connectivity analysis rather than identity permissions. Amazon Inspector is a vulnerability scanner for compute resources and code, while CloudWatch alarms only alert on real-time events rather than performing comprehensive permission audits.