AWS Certified Solutions Architect – Professional — Question 774

A company uses AWS Organizations to manage multiple AWS accounts. The accounts share an Amazon Simple Queue Service (Amazon SQS) queue. The SQS queue is also shared with other AWS accounts outside the organization. All internal and external accounts have access to send and receive messages according to a permissions policy that is attached to the SQS queue. The company wants to identify any external principals that have access to the SQS queue.

How should a solutions architect meet this requirement?

Answer options

• A. Set up an AWS CloudTrail trail that logs data events. Use CloudTrail logs to track Amazon SQS API activities by any external principals.
• B. Use an AWS Identity and Access Management Access Analyzer to create an analyzer with the current organization as a zone of trust. Filter by external findings on the SQS queue.
• C. Set up an AWS CloudTrail trail that logs management events. Use CloudTrail logs to track Amazon SQS API activities by any external principals.
• D. Use AWS Identity and Access Management Access Analyzer to create an analyzer with the current account as a zone of trust. Filter by external findings on the SQS queue.

Correct answer: B

Explanation

AWS IAM Access Analyzer helps identify resources shared with external entities. By setting the zone of trust to the AWS Organization (Option B), any principal outside the organization is correctly flagged as external, allowing the architect to easily filter and find external access to the SQS queue. Setting the zone of trust to only the current account (Option D) would incorrectly flag other internal accounts within the organization as external, while CloudTrail (Options A and C) is for auditing past API activity rather than proactively identifying current resource sharing permissions.