AWS Access Key Rotation for S3 and DynamoDB

Answer - B.

One can use the CLI command list-access-keys to get the access keys.

This command also returns the "CreateDate" of the keys.

If the CreateDate is older than 2 months, the keys can be deleted.

The Returns list-access-keys CLI command returns information about the access key IDs associated with the specified IAM user.

If there are none, the action returns an empty list.

Option A is incorrect because access keys do not have the key rotation feature.

Option C is incorrect because this is a manual approach that should not be used.

Option D is incorrect because an IAM role is not used in this scenario.

For more information on the CLI command, please refer to the below Link:

http://docs.aws.amazon.com/cli/latest/reference/iam/list-access-keys.html

The correct answer to this question is B. Use a script to query the creation date of the keys. If nearing 2 months, create a new access key and update the application to use it, inactivate the old key and delete it.

Option A, enabling the automatic key rotation, is not applicable to access keys, as it is only available for IAM roles and credentials.

Option C, deleting and recreating the user every two months, is not recommended as it would disrupt the development process, and the user would need to be recreated, access keys generated, and the application reconfigured every two months.

Option D, deleting and recreating the IAM role every two months, is not applicable in this scenario, as IAM roles are not associated with access keys, but with policies that grant permissions to AWS resources.

Thus, the best option is to use a script to query the creation date of the keys and, if nearing two months, create a new access key, update the application to use the new key, inactivate the old key, and delete it. This can be achieved using AWS CLI or AWS SDKs to automate the key rotation process, ensuring that the access keys are rotated before they expire, and thus maintaining the security of the AWS environment.