Continuous Improvement for Existing Solutions II
Prepare yourself for the AWS Certified Solutions Architect Professional (SAP-C02) exam with advanced questions on least-privilege access, secrets rotation, secure data lake governance, tamper-proof logging, and automated incident response.
We'll cover the following...
Question 47
A company with dozens of AWS accounts still grants developers IAM users with long-term access keys and broad AdministratorAccess policies. CI/CD tooling stores static AWS access keys for cross-account deployments. The security team must reduce standing privilege without breaking cross-account operations. Which three actions should a solutions architect recommend? (Select any three options.)
A. Move workforce access to IAM Identity Center and map users or groups to permission sets that grant only the roles needed in each account.
B. Replace static CI/CD access keys with OIDC federation or cross-account IAM roles that use temporary credentials through AssumeRole or AssumeRoleWithWebIdentity.
C. Use IAM Access Analyzer and IAM credential reports to identify unused or overly broad access; enforce permission boundaries for delegated role creation and service control policies that restrict iam:CreateAccessKey except for approved break-glass cases.
D. Keep IAM users, rotate every access key every 30 days, and require MFA for all console users.
E. Rely on CloudTrail to prevent misuse of broad permissions and perform a manual ...