Several teams share one AWS account, and there is a large number of IAM roles.
You need a method to periodically check each IAM role and identify unused roles based on a time window that you define.
Then you can determine if some roles are obsolete and can be safely removed.
Which option is the most appropriate?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - C.
Option A is incorrect: This option cannot provide you a view of which IAM roles are compliant or not.
Option C is better.
Option B is incorrect: AWS Config resources do not provide the usage status of IAM roles.
Instead, you should set up an AWS Config rule.
Option C is CORRECT: Because the Lambda function can check each IAM role, and you can view the compliance status in AWS Config.
Option D is incorrect: Because this is not a straightforward solution if compared with option.
C.
It also cannot provide you a clear view of the compliance status.
Reference:
https://aws.amazon.com/blogs/security/continuously-monitor-unused-iam-roles-aws-config/The question describes a scenario where multiple teams are sharing a single AWS account, and there are a large number of IAM roles in use. The task is to identify any unused IAM roles within a defined time window so that they can be safely removed. The objective is to optimize the IAM roles' usage and to avoid unnecessary costs.
Option A suggests periodically triggering a CloudWatch Event rule and registering a Lambda function to evaluate all the IAM roles. CloudWatch Events is a service that enables you to respond to state changes in your AWS resources. You can create a rule that matches events and route them to a specific target. In this case, you would create a CloudWatch Event rule that triggers a Lambda function periodically. The Lambda function would then evaluate all IAM roles in the account to identify any unused ones.
Option B suggests enabling AWS Config and checking the IAM usage of each IAM role in AWS Config resources. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. You can use AWS Config to monitor changes to your resources and to determine compliance against best practices. In this case, you would enable AWS Config and configure it to evaluate IAM roles. AWS Config would then periodically check the IAM usage of each IAM role to identify any unused ones.
Option C suggests periodically triggering an AWS Config rule that invokes a Lambda function. The Lambda function checks the status of each IAM role. This option is similar to option B but with the addition of a custom AWS Config rule. AWS Config enables you to create custom rules that define the desired configuration of your resources. In this case, you would create a custom AWS Config rule that triggers a Lambda function. The Lambda function would then evaluate the status of each IAM role to identify any unused ones.
Option D suggests setting up Amazon Athena to evaluate the usage of IAM roles from the AWS CloudTrail logs. Amazon Athena is a service that enables you to query data stored in Amazon S3 using SQL. AWS CloudTrail is a service that enables you to log, continuously monitor, and retain events related to API calls across your AWS account. In this case, you would configure AWS CloudTrail to log events related to IAM role usage. Then you would set up Amazon Athena to query the CloudTrail logs to identify any unused IAM roles.
Of these four options, option B or C is the most appropriate for this scenario. AWS Config is designed specifically for resource configuration monitoring, and creating a custom rule can be very useful in identifying the usage of IAM roles. However, all the options have their own benefits and drawbacks, and the best option depends on the specific use case and preferences.