AWS IAM User Audit Documentation

Status of IAM Users in AWS Account

Prev Question Next Question

Question

Your company is performing a security audit of your AWS environment.

The security specialist asked you to provide a document that contained the status of all IAM users in the AWS account.

The document should include information such as when users were created, when passwords were used or changed, whether MFA was enabled, etc.

What is the best way to provide this documentation?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer: B.

Option A is incorrect because list-users only list limited information.

It does not contain data such as MFA status.

Option B is CORRECT because users can download a new credential report every 4 hours, containing all the requirements asked.

Option C is incorrect because AWS Config cannot provide a document that lists all required data for IAM users.

Option D is incorrect because the solution would not be as efficient as compared to option B (using IAM credential report).

In AWS IAM console, users can generate a credential report which lists all IAM users and the status, including passwords, access keys, and MFA devices.

For more information, kindly visit the URL provided below.

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html.
VPN Connections ‘You can connect your Amazon VPC to remote networks by using a VPN connection. The following are some of the connectivity options available to you. VPN conne: Description ‘You can create an IPsec VPN connection between your VPC and your remote network. On the AWS side of the VPN connection, a virtual private gateway provides two VPN endpoints (tunnels) for automatic failover. You configure your customer gateway on the remote side of the VPN connection. For more information, see AWS Managed VPN Connections, and the Amazon VPC Network Administrator Guide. Ifyou have more than one remote network (for example, multiple branch offices), you can create multiple AWS managed AWS VPN CloudHub VPN connections via your virtual private gateway to enable communication between these networks. For more information, see Providing Secure Communication Between Sites Using VPN CloudHub. You can create a VPN connection to your remote network by using an Amazon EC2 instance in your VPC that's running a Third party software VPN __ third party software VPN appliance. AWS does not provide or maintain third party software VPN appliances; however, you appliance can choose from a range of products provided by partners and open source communities. Find third party software VPN appliances on the AWS Marketplace. You can also use AWS Direct Connect to create a dedicated private connection from a remote network to your VPC. You can combine this connection ‘with an AWS managed VPN connection to create an [Psec-encrypted connection. For more information, see What is AWS Direct Connect? in the AWS Direct Connect User Guide . For more information about the different VPC and VPN connectivity options, see the Amazon Virtual Private Cloud Connectivity Options whitepaper.

The best way to provide documentation containing the status of all IAM users in an AWS account, including information such as creation dates, password usage and changes, and MFA status, is by generating and downloading an IAM credential report through the AWS Management Console or AWS SDKs.

Option A, which involves using the IAM CLI list-users command to generate a JSON document, would only provide basic information about IAM users, such as their names and ARNs, but not their status or security-related attributes.

Option C involves using AWS Config to download the resource inventory for all IAM users, but this would provide a list of all IAM users with basic information, such as their names and ARNs, but not their status or security-related attributes.

Option D, which involves using AWS Athena to query the AWS CloudTrail S3 bucket and generate a report based on the query result, is a more complex and time-consuming approach. It requires creating a query that retrieves data from the CloudTrail logs, which record AWS API calls, and then processing the query result to extract the relevant information.

The IAM credential report, on the other hand, provides a comprehensive overview of the status of all IAM users in the AWS account, including their creation dates, password usage and changes, MFA status, and other security-related attributes. It can be generated easily through the AWS Management Console or AWS SDKs, and downloaded in CSV or JSON format for further processing or analysis.

To generate the IAM credential report through the AWS Management Console, follow these steps:

  1. Log in to the AWS Management Console and navigate to the IAM dashboard.
  2. In the left navigation pane, click on "Credential Reports".
  3. Click "Generate Report".
  4. Wait for the report to be generated (this may take a few minutes).
  5. Once the report is ready, click "Download" to save it in CSV or JSON format.

Alternatively, the IAM credential report can also be generated and downloaded through the AWS CLI or AWS SDKs, using the following command:

python
aws iam generate-credential-report --output-format csv/json

This command will generate the IAM credential report in either CSV or JSON format, depending on the value specified for the --output-format parameter. The report can then be downloaded and processed as needed.

In summary, the best way to provide documentation containing the status of all IAM users in an AWS account is by generating and downloading an IAM credential report through the AWS Management Console or AWS SDKs. This report provides a comprehensive overview of IAM user status and security-related attributes, and can be easily downloaded in CSV or JSON format for further processing or analysis.

Prev Question Next Question