Q68 — AWS DVA-C02 Ch.3
Question 68 of 100 | ← Chapter 3
For the past three months, a development team has been using a build server running on an Amazon EC2 instance to perform builds and deployments. The EC2 instance’s instance profile uses an IAM role with an overly permissive IAM policy. The development team must replace this policy with one that grants only the minimum required permissions. What is the fastest way to create a custom IAM policy for the EC2 instance to meet this requirement?
- A. Create a new IAM policy based on the services deployed or updated by the build server over the past three months.
- B. Create a new IAM policy containing all actions logged by AWS CloudTrail for the IAM role over the past three months. ✓
- C. Create a new permissions boundary policy that denies all access and associate the permissions boundary with the IAM role.
- D. Create a new IAM policy by querying the Amazon S3 bucket containing AWS CloudTrail events for the IAM role over the past three months using Amazon Athena.
Correct Answer: B. Create a new IAM policy containing all actions logged by AWS CloudTrail for the IAM role over the past three months.
Explanation
As an administrator or developer, you might grant IAM entities (users or roles) more permissions than necessary. IAM provides several options to help refine granted permissions. One option is to generate an IAM policy based on the entity’s access activity. IAM Access Analyzer reviews your AWS CloudTrail logs and generates a policy template containing the permissions used by the entity within your specified date range. You can use this template to create a fine-grained policy granting only the permissions required for your specific use case. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_generate-policy.html