You are responsible for an application that leverages the Amazon SDK for storing and retrieving data from Amazon S3, accessing multiple DynamoDB tables, and exchanging message with Amazon SQS queues.
Your VP of Compliance is concerned that you are not following security best practices for securing all of this access.
He has asked you to verify that the application's AWS access keys are not older than six months and he needs the report periodically.
Which of the below options will provide your VP with the requested information?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - A.
Use the "iam:ListAccessKeys" API to know when the access keys were created.
You can use this information to find which keys are older than six months.
Run a batch process to generate the compliance report as per the requirement of the VP of the compliance department.
Please refer to the below link on the rotation of AWS access keys.
https://aws.amazon.com/blogs/security/how-to-rotate-access-keys-for-iam-users/The correct answer is A. Create a script to query the IAM list-access keys API to get your application access key creation date and create a compliance report for your VP periodically.
Explanation: The VP of Compliance is concerned about security best practices for securing access to AWS resources, specifically AWS access keys. Access keys are used by applications to authenticate and authorize access to AWS services. If these keys are compromised, attackers could gain access to AWS resources and sensitive data.
To address the VP's concerns, it is necessary to verify that the application's AWS access keys are not older than six months and provide a periodic compliance report. Option A is the most appropriate solution to fulfill this requirement. This solution involves querying the IAM list-access keys API, which allows you to retrieve information about the access keys associated with an IAM user. Using this API, you can obtain the creation date of the access keys and determine whether they are older than six months. You can then use this information to create a compliance report for your VP periodically.
Option B is not a valid solution because it does not provide a way to verify that the access keys are not older than six months, nor does it provide a way to create a compliance report for the VP.
Option C is also not a valid solution because it requires modifying the application to log changes to its AWS access key credential file, which is not a security best practice. Additionally, using Amazon EMR to create compliance reports is not the most efficient approach.
Option D is not a valid solution because it proposes creating a new set of instructions for the configuration management tool to periodically create and rotate the application's existing access keys. While this approach may help improve security, it does not provide a way to verify that the access keys are not older than six months, nor does it provide a way to create a compliance report for the VP.