AWS Certified SysOps Administrator – Associate — Question 93

A company requires that all IAM user accounts that have not been used for 90 days or more must have their access keys and passwords immediately disabled. A SysOps administrator must automate the process of disabling unused keys using the MOST operationally efficient method.

How should the SysOps administrator implement this solution?

Answer options

• A. Create an AWS Step Functions workflow to identify IAM users that have not been active for 90 days. Run an AWS Lambda function when a scheduled Amazon EventBridge (Amazon CloudWatch Events) rule is invoked to automatically remove the AWS access keys and passwords for these IAM users.
• B. Configure an AWS Config rule to identify IAM users that have not been active for 90 days. Set up an automatic weekly batch process on an Amazon EC2 instance to disable the AWS access keys and passwords for these IAM users.
• C. Develop and run a Python script on an Amazon EC2 instance to programmatically identify IAM users that have not been active for 90 days. Automatically delete these IAM users.
• D. Set up an AWS Config managed rule to identify IAM users that have not been active for 90 days. Set up an AWS Systems Manager automation runbook to disable the AWS access keys for these IAM users.

Correct answer: D

Explanation

Option D is correct because it utilizes AWS Config managed rules and AWS Systems Manager automation, which are designed for operational efficiency and automation of tasks. Option A, while effective, involves more complexity with Step Functions and Lambda that may not be necessary. Option B relies on a manual batch process, which is less efficient than the automation offered by AWS Systems Manager. Option C incorrectly suggests deleting IAM users instead of just disabling their keys and passwords, which does not comply with the requirement.