Q3 — AWS SAP-C02 Ch.1

Question 3 of 75 | ← Chapter 1

Q78. An external audit of a company's serverless application reveals IAM policies that grant too many permissions. These policies are attached to the company's AWS Lambda execution roles Hundreds of the company's Lambda functions have broad access permissions, such as full access to Amazon S3 buckets and Amazon DynamoDB tables. The company wants each function to have only the minimum permissions that the function needs to complete its task.A solutions architect must determine which permissions each Lambda function needs. What should the solutions architect do to meet this requirement with the LEAST amount of effort?

Correct Answer: B. Turn on AWS CloudTrail logging for the AWS account. Use AWS identity and Access Management Access Analyzer to generate IAM access policies based on the activity recorded in the CloudTrail log Review the generated policies to ensure that they meet the company's business requirements

Explanation

To determine the minimum permissions required for each Lambda function with the least amount of effort, the recommended solution is: B. Turn on AWS CloudTrail logging for the AWS account. Use AWS Identity and Access Management (IAM) Access Analyzer to generate IAM access policies based on the activity recorded in the CloudTrail log. Review the generated policies to ensure they meet the company's business requirements. Explanation: Option B leverages AWS CloudTrail and IAM Access Analyzer to automatically generate IAM access policies based on the recorded activity in the CloudTrail logs: 1. AWS CloudTrail logging: By turning on AWS CloudTrail logging for the AWS account, you can capture detailed information about API calls made by the Lambda functions and the resources accessed. 2. IAM Access Analyzer: AWS IAM Access Analyzer can analyze the CloudTrail logs and automatically generate IAM access policies based on the observed activity. Access Analyzer uses machine learning algorithms to identify the actions and resources used by the Lambda functions. 3. Review generated policies: After the IAM access policies are generated, the solutions architect can review the policies to ensure they meet the company's business requirements. This includes validating that the permissions granted are the minimum necessary for each Lambda function to perform its task. This approach automates the process of determining the required permissions for each Lambda function by analyzing the CloudTrail logs. It reduces manual effort and ensures that the generated IAM policies are based on actual usage, providing a more accurate and efficient way to manage permissions. Option A is incorrect because using Amazon CodeGuru to profile Lambda functions and manually creating new IAM access policies for each function would require significant effort and manual intervention. Option C is incorrect because parsing the CloudTrail log and creating a summary report would still require manual effort to analyze and create new IAM access policies based on the report. Option D is incorrect because using Amazon EMR to process the CloudTrail logs and manually creating IAM access policies based on the processed logs would require significant effort and manual intervention. Therefore, option B is the recommended solution as it leverages CloudTrail logs and IAM Access Analyzer to automatically generate IAM access policies based on observed activity, minimizing effort and ensuring minimum necessary permissions for each Lambda function. IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. IAM Access Analyzer identifies resources shared with external principals by using logic-based reasoning to analyze the resource-based policies in your AWS environment.