AWS Certified DevOps Engineer – Professional — Question 185

A company grants external users access to its AWS account by creating an IAM user for each external user. A DevOps engineer must implement a solution to revoke access from IAM users that have not accessed the account in 90 days.

Which solution will meet these requirements?

Answer options

• A. Turn on AWS Config in the AWS account. Deploy the lam-user-unused-credentials-check AWS Config managed rule Configure the rule to run periodically Configure AWS. Config automatic remediation to run the AWSConfigRemediation-RevokeUnusedlAMUserCredentials AWS Systems Manager Automation runbook.
• B. Use AWS Identity and Access Management Access Analyzer to create an analyzer in the AWS account. Create an Amazon EventBridge rule to match IAM Access Analyzer events for IAM users that were last accessed more than 90 days ago. Configure the rule to run the AWSConfigRemediation-DetachlAMPolicy AWS Systems Manager Automation runbook to detach any policies that are attached to the IAM user.
• C. Enable AWS Trusted Advisor in the AWS account. Use the AWS Developer Support plan to access the AWS Support API. Configure an Amazon EventBridge scheduled rule to use the Support API’s Trusted Advisor IAM Access Key Rotation check to discover IAM credentials that have not been accessed for more than 90 days. Configure another EventBridge rule to use the Trusted Advisor Check Item Refresh Status event type and to run the AWSConfigRemediation-RevokeUnusedlAMUserCredentials AWS Systems Manager Automation runbook.
• D. Enable AWS Security Hub in the AWS account. Configure a Security Hub rule that determines when an IAM user was last accessed. Configure an Amazon EventBridge rule to match the Security Hub rule and to run the AWSConfigRemediation-RevokeUnusedlAMUserCredentials AWS Systems Manager Automation runbook.

Correct answer: A

Explanation

Option A is the correct choice because it directly utilizes AWS Config to monitor IAM user activity and automate the revocation of unused credentials after 90 days of inactivity. The other options either do not directly revoke access or rely on different mechanisms that do not specifically address the requirement of revoking access based on user inactivity.