Continuous Improvement for Existing Solutions II
Explore strategies to improve existing AWS solutions by implementing least-privilege access through IAM Identity Center, automating credential management with Secrets Manager and RDS Proxy, securing shared S3 buckets with access controls, ensuring tamper-proof CloudTrail logging, and automating GuardDuty threat response while preserving forensic data.
We'll cover the following...
Question 47
A company with dozens of AWS accounts still grants developers IAM users with long-term access keys and broad AdministratorAccess policies. CI/CD tooling stores static AWS access keys for cross-account deployments. The security team must reduce standing privilege without breaking cross-account operations. Which three actions should a solutions architect recommend? (Select any three options.)
A. Move workforce access to IAM Identity Center and map users or groups to permission sets that grant only the roles needed in each account.
B. Replace static CI/CD access keys with OIDC federation or cross-account IAM roles that use temporary credentials through AssumeRole or AssumeRoleWithWebIdentity.
C. Use IAM Access Analyzer and IAM credential reports to identify unused or overly broad access; enforce permission boundaries for delegated role creation and service control policies that restrict iam:CreateAccessKey except for approved break-glass cases.
D. Keep IAM users, rotate every access key every 30 days, and require MFA for all console users.
E. Rely on CloudTrail to prevent misuse of broad permissions and perform a manual ...