AWS Certified Solutions Architect Professional SAP-C02 Practice Question
An enterprise operates more than 100 AWS accounts that are part of a single AWS Organizations hierarchy. The security team needs a scalable mechanism to audit least-privilege adherence. The solution must continuously detect IAM users and roles whose permissions are unused or overly permissive, surface policy-level recommendations to right-size those permissions, and centralize all findings in a designated security tooling account. The team wants to rely only on native AWS services and keep ongoing administration to a minimum. Which approach will BEST meet these requirements?
Enable Amazon Inspector across all accounts and schedule Inspector to continuously scan IAM policies for unused or overly permissive actions, routing findings to the security tooling account.
Create an AWS Config organization aggregator in the security tooling account and deploy the managed rule iam-policy-no-statements-with-admin-access to every account; use conformance packs to view compliance results.
Make the security tooling account the delegated administrator for AWS IAM Access Analyzer, create an organization-scoped unused access analyzer, and ensure an organization-level AWS CloudTrail trail is enabled so Access Analyzer can generate least-privilege policy recommendations.
Aggregate CloudTrail logs from each member account into an Amazon S3 bucket in the security tooling account, then use Amazon Athena queries invoked by scheduled AWS Lambda functions to locate principals that have not invoked any actions in 90 days and send alerts.
AWS IAM Access Analyzer provides an organization-scoped "unused access" analyzer that continuously reviews every IAM principal, identifies unused roles, keys, and individual permissions, and offers recommended replacement policies to help administrators right-size access. Appointing the security tooling account as the delegated administrator centralizes the findings dashboard and EventBridge events for all member accounts. Enabling an organization trail in AWS CloudTrail supplies the historical API-activity data that Access Analyzer uses when it generates policy recommendations. AWS Config managed rules can flag wildcard policies but do not evaluate whether permissions are actually used, and Amazon Inspector does not analyze IAM policies. Building custom Athena queries and Lambda functions would satisfy the functional need but adds significant undifferentiated operational work, so it is not the BEST native, low-maintenance option.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS IAM Access Analyzer and how does it help with least-privilege adherence?
Open an interactive chat with Bash
Why is setting up AWS CloudTrail at the organization level important for this solution?
Open an interactive chat with Bash
What does appointing a delegated administrator mean in the context of AWS Organizations?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Continuous Improvement for Existing Solutions
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access