Automating Permission Reviews with Lambda
Question
You are an AWS administrator in a company.
You are in charge of creating IAM roles and allocating the roles to developers.
Some IAM permissions in the IAM roles may not be required after some time.
You want to use a Lambda function to check each IAM role and if a certain service is not accessed for more than 60 days, you should get a notification.
Then you can revise the IAM role with suitable permissions.
Which of the following methods can achieve the requirement?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - C.
Users can call the IAM access advisor APIs to get the last accessed details of each IAM role.
If permission in the IAM policy is not used for over 60 days, this permission may not be required.
Check the reference in https://aws.amazon.com/blogs/security/automate-analyzing-permissions-using-iam-access-advisor/.
Option A is incorrect: Because AWS Config APIs or configuration timelines cannot provide enough information on the last accessed data.
Option B is incorrect: Because AWS IAM does not provide the execution report.
Instead, you should use the IAM access advisor APIs.
Option C is CORRECT: The IAM access advisor APIs generate-service-last-accessed-details, and get-service-last-accessed-details should be used for this scenario.
Option D is incorrect: Unlike CloudWatch Logs, no insights can be provided for IAM roles.
The Lambda function should utilize the access advisor APIs to analyze the IAM permissions automatically.
The correct answer to this question is C. Create a Lambda function to get the last accessed details using the IAM access advisor APIs. Send an SNS notification if a permitted service is not accessed for more than 60 days.
Explanation:
IAM (Identity and Access Management) is a service provided by AWS that enables you to manage access to AWS resources. IAM roles are a fundamental part of IAM that are used to define permissions for specific AWS resources. In this case, the administrator wants to create a Lambda function that checks IAM roles for any permissions that may not be required anymore.
Option A is incorrect because it suggests using the AWS Config APIs to get IAM access data. AWS Config is a service that records configuration changes to AWS resources and provides a timeline of changes. However, it does not provide data on when a particular service is accessed. This option, therefore, does not address the requirement of checking if a service has not been accessed for more than 60 days.
Option B is also incorrect because it suggests analyzing the IAM execution report every day to pick up services that are not used for over 60 days. However, this report does not provide information on the last time a particular service was accessed. Therefore, this option also does not address the requirement of checking if a service has not been accessed for more than 60 days.
Option D is incorrect because the IAM get-insight API does not provide data on the last time a particular service was accessed. Therefore, this option also does not address the requirement of checking if a service has not been accessed for more than 60 days.
Option C is the correct answer because it suggests using the IAM access advisor APIs to get the last accessed details of a particular service. The IAM access advisor provides information on the last time a service was accessed by an IAM role. Therefore, the Lambda function can use this information to check if a service has not been accessed for more than 60 days and send an SNS notification if required.
In conclusion, to achieve the requirement of checking IAM roles for permissions that may not be required anymore and sending a notification if a certain service is not accessed for more than 60 days, the correct method is to use a Lambda function to get the last accessed details using the IAM access advisor APIs.
