Analyze and Protect AWS Resources with Access Control Policies
Question
You are managing a central AWS account in your company.
You need a tool to analyze access control policies in resources such as S3 and determine if resources can be accessed publicly or from other AWS accounts.
With this tool, you can protect the resources from unexpected access from outside.
Which option should be selected to achieve the requirement?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - D.
Option A is incorrect: Because Credential Report lists the users and their credentials.
However, it cannot provide the access information.
Option B is incorrect: Because the question does not mention AWS Organization, and the service access report does not tell if resources can be accessed from outside.
Option C is incorrect: Because Access Advisor provides the last accessed information for the allowed services.
But it does not identify the services that may be accessed publicly from the outside.
Option D is CORRECT: Because IAM Access Analyzer can identify resources that are shared with external entities.
Reference:
https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.htmlThe option that should be selected to achieve the requirement is D: Create an IAM Access Analyzer and review the findings.
IAM Access Analyzer is a tool that can be used to identify any unintended access granted to resources in your AWS account. It works by analyzing resource-based policies to identify any resources that are accessible to external principals, such as other AWS accounts or the public internet. With IAM Access Analyzer, you can easily identify potential security risks in your AWS resources and take appropriate actions to mitigate those risks.
Option A: Download the Credential Report from IAM and analyze the unexpected access is incorrect because the Credential Report only provides information about IAM users and their access keys. It does not provide information about resource-based policies or unexpected access.
Option B: Download the service access report of the AWS Organization is incorrect because the service access report only provides information about services that have been used in your AWS account. It does not provide information about resource-based policies or unexpected access.
Option C: Check the Access Advisor of IAM roles or S3 bucket policies is incorrect because the Access Advisor only provides information about the permissions granted to a specific IAM role or S3 bucket policy. It does not provide information about unexpected access or permissions granted to external principals.
Therefore, the correct option to achieve the requirement of analyzing access control policies in resources such as S3 and determine if resources can be accessed publicly or from other AWS accounts is to create an IAM Access Analyzer and review the findings.
