AWS Certified SysOps Administrator – Associate — Question 141

A company’s application currently uses an IAM role that allows all access to all AWS services. A SysOps administrator must ensure that the company’s IAM policies allow only the permissions that the application requires.

How can the SysOps administrator create a policy to meet this requirement?

Answer options

• A. Turn on AWS CloudTrail. Generate a policy by using AWS Security Hub.
• B. Turn on Amazon EventBridge (Amazon CloudWatch Events). Generate a policy by using AWS Identity and Access Management Access Analyzer.
• C. Use the AWS CLI to run the get-generated-policy command in AWS Identity and Access Management Access Analyzer.
• D. Turn on AWS CloudTrail. Generate a policy by using AWS Identity and Access Management Access Analyzer.

Correct answer: D

Explanation

The correct answer is D, as enabling AWS CloudTrail allows the capture of activity logs that can be analyzed to determine the necessary permissions. AWS Identity and Access Management Access Analyzer can then generate a policy based on those logs. Options A and B do not correctly leverage Access Analyzer for policy generation, and option C does not mention CloudTrail, which is essential for gathering the necessary data.