IAM Usage Status Report for AWS Account

Information Missing in IAM Credential Report

Question

The security team in your company will start a new security audit for all AWS accounts, and your manager asked you to present him with a document stating the IAM usage status in your AWS account.

You have downloaded a recent credential report in IAM and replied to your manager.

However, which information does NOT exist in the report? (Select TWO.)

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

Answer: B and E.

Option A is incorrect because the IAM credential report does provide details about the last time the access keys were rotated.

Option B is CORRECT because IAM role information does not exist in the report.

Option C is incorrect because the IAM credential report does provide details about the service that an access key of an IAM user was used for.

Option D is incorrect because the IAM credential report does provide details about the last time the IAM user password was changed.

Option E is CORRECT because there is no SAML IAM identity provider information in the credential report.

About the report format in the IAM credential report, refer to.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam-credential-report.html

The IAM Credential Report is a document containing important information about your AWS account's IAM (Identity and Access Management) users and their access keys. It can be used to audit and analyze the usage of IAM users, access keys, and roles in your AWS account. However, there are some pieces of information that are not included in the report, as mentioned in the question. Let's go through each option:

A. The last time when the access key was rotated for an IAM user: This information is not included in the IAM Credential Report. However, you can find this information in the AWS Management Console or by using AWS CLI commands. IAM access keys should be rotated periodically to minimize the risk of unauthorized access.

B. IAM role name and when it was used last time: The IAM Credential Report includes information about IAM roles, including their names, ARNs, and creation dates. However, it does not include information about when a role was last used. To obtain this information, you can enable AWS CloudTrail and use it to track API activity for your roles.

C. The last time that an access key of an IAM user was used for: This information is included in the IAM Credential Report. You can use this information to determine which access keys are being actively used and which ones are not, and then delete any unused keys to reduce the risk of unauthorized access.

D. The last time when the password was changed for an IAM user: This information is not included in the IAM Credential Report. However, you can use AWS CloudTrail to track password-related API activity and determine when a user's password was last changed.

E. IAM SAML identity provider name and ARN. And the time when the provider was created: This information is not included in the IAM Credential Report. However, you can obtain it by using the AWS Management Console or by using AWS CLI commands to query the SAML identity provider API. The SAML identity provider is used to enable federated access to your AWS account using a SAML-compatible identity provider, such as Microsoft Active Directory Federation Services (ADFS) or Okta.

In summary, the IAM Credential Report is a valuable tool for auditing and analyzing IAM usage in your AWS account. However, it does not include certain pieces of information, such as the last time an access key was rotated for an IAM user or the name and last usage of an IAM role. You may need to use other AWS services, such as AWS CloudTrail, to obtain this information.