Q34 — AWS SCS-C02 Ch.1

Question 34 of 100 | ← Chapter 1

A company's security team needs to receive a notification whenever an AWS access key has not been rotated in 90 or more days. A security engineer must develop a solution that provides these notifications automatically. Which solution will meet these requirements with the LEAST amount of effort?

Correct Answer: A. Deploy an AWS Config managed rule to run on a periodic basis of 24 hours. Select the access-keys-rotated managed rule, and set the maxAccessKeyAge parameter to 90 days. Create an Amazon EventBridge rule with an event pattern that matches the compliance type of NON_COMPLIANT from AWS Config for the managed rule. Configure EventBridge to send an Amazon Simple Notification Service (Amazon SNS) notification to the security team.

Explanation

本题聚焦AWS访问密钥轮换监控的核心机制,关键在识别最小运维成本的自动化方案。AWS Config提供预置合规规则access-keys-rotated,可直接设置密钥最长存活周期(maxAccessKeyAge参数),通过EventBridge捕获NON_COMPLIANT事件触发SNS告警,全程无需代码开发。其他选项均涉及脚本编写(如导出报告、API轮询)或复杂数据处理流程(S3+Athena),运维复杂度显著更高。正确答案为A。