Q44 — AWS DOP-C02 Ch.2
Question 44 of 100 | ← Chapter 2
A company grants external customers access to its AWS account by creating an IAM user for each external customer. A DevOps engineer wants to implement a solution to revoke access for IAM users who have not accessed the account for 90 days.
- A. Enable AWS Config in the AWS account. Deploy the iam-user-unused-credentials-check AWS Config managed rule to run periodically. Configure automatic remediation to run the AWSConfigRemediation-RevokeUnusedIAMUserCredentials AWS Systems Manager Automation runbook. ✓
- B. Create an IAM Access Analyzer in the AWS account. Create an Amazon EventBridge rule matching IAM user access analyzer events indicating last access occurred over 90 days ago. Configure the rule to run the AWSConfigRemediation-DetachIAMPolicy AWS Systems Manager Automation runbook to detach any policies attached to the IAM user.
- C. Enable AWS Trusted Advisor in the AWS account. Use the AWS Developer Support plan to access the AWS Support API. Configure an Amazon EventBridge scheduled rule to use the Trusted Advisor IAM access key rotation check to identify IAM credentials unused for over 90 days. Configure another EventBridge rule using the Trusted Advisor Check Item Refresh Status event type and run the AWSConfigRemediation-RevokeUnusedIAMUserCredentials AWS Systems Manager Automation runbook.
- D. Enable AWS Security Hub in the AWS account. Configure a Security Hub rule to determine the last time an IAM user was accessed. Configure an Amazon EventBridge rule to match the Security Hub rule and run the AWSConfigRemediation-RevokeUnusedIAMUserCredentials AWS Systems Manager Automation runbook.
Correct Answer: A. Enable AWS Config in the AWS account. Deploy the iam-user-unused-credentials-check AWS Config managed rule to run periodically. Configure automatic remediation to run the AWSConfigRemediation-RevokeUnusedIAMUserCredentials AWS Systems Manager Automation runbook.
Explanation
Option A correctly revokes unused IAM credentials. Option B detaches policies but does not revoke credentials. Option C identifies inactive credentials using Trusted Advisor but does not revoke them. Option D determines last IAM access but does not revoke credentials.