AWS Certified SysOps Administrator – Associate (legacy) — Question 637

Developers are using IAM access keys to manage AWS resources using AWS CLI. Company policy requires that access keys are automatically disabled when the access key age is greater than 90 days.
Which solution will accomplish this?

Answer options

• A. Configure an Amazon CloudWatch alarm to trigger an AWS Lambda function that disables keys older than 90 days.
• B. Configure AWS Trusted Advisor to identify and disable keys older than 90 days.
• C. Set a password policy on the account with a 90-day expiration.
• D. Use an AWS Config rule to identify noncompliant keys. Create a custom AWS Systems Manager Automation document for remediation.

Correct answer: D

Explanation

AWS Config can continuously monitor the age of IAM access keys using the iam-access-key-rotated managed rule. By associating an AWS Systems Manager Automation document as a remediation action, the system can automatically deactivate keys that fail compliance (older than 90 days). Amazon CloudWatch alarms, Trusted Advisor, and password policies cannot natively disable IAM access keys in this automated manner.