Q44 — AWS DOP-C02 Ch.2

Question 44 of 100 | ← Chapter 2

A company grants external customers access to its AWS account by creating an IAM user for each external customer. A DevOps engineer wants to implement a solution to revoke access for IAM users who have not accessed the account for 90 days.

Correct Answer: A. Enable AWS Config in the AWS account. Deploy the iam-user-unused-credentials-check AWS Config managed rule to run periodically. Configure automatic remediation to run the AWSConfigRemediation-RevokeUnusedIAMUserCredentials AWS Systems Manager Automation runbook.

Explanation

Option A correctly revokes unused IAM credentials. Option B detaches policies but does not revoke credentials. Option C identifies inactive credentials using Trusted Advisor but does not revoke them. Option D determines last IAM access but does not revoke credentials.