Your development team uses access keys in their local PCs to develop an application with access to S3 and DynamoDB.
A new security policy has been outlined that the credentials that are nearing the 2 months expiry period should be rotated.
Which of the following options is the most suitable?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - B.
One can use the CLI command list-access-keys to get the access keys.
This command also returns the "CreateDate" of the keys.
If the CreateDate is older than 2 months, the keys can be deleted and recreated.
The list-access-keys CLI command returns information about the access key IDs associated with the specified IAM user.
If there are none, the action returns an empty list.
For more information on the CLI command, please refer to the below link:
http://docs.aws.amazon.com/cli/latest/reference/iam/list-access-keys.htmlThe most suitable option to rotate the access keys that are nearing their expiry period is option B: Use a Cron job to query the date the keys are created. If the keys are nearing the 2 months expiry period, delete them and recreate new keys.
Option A is not a suitable solution because it is not a good practice to use application-level code to manage AWS access keys. The keys should be rotated using an automated process or a scheduled job to minimize the risk of manual error and ensure that the keys are rotated in a timely manner.
Option C is also not a suitable solution because deleting and recreating a user associated with the keys will cause the user to lose any permissions, policies, and group memberships that were assigned to them. This can be a time-consuming and error-prone process, especially if the user had a lot of permissions.
Option D is also not a suitable solution because deleting and recreating the IAM Role associated with the keys will cause the role to lose any policies, trust relationships, and instance profiles that were assigned to it. This can also be a time-consuming and error-prone process, especially if the role had a lot of permissions.
Option B is the most suitable solution because it involves using a scheduled job (e.g., a Cron job) to check the creation date of the access keys and if they are nearing the 2-month expiry period, delete the old keys and create new ones. This process can be automated using AWS SDKs or the AWS CLI. The new keys can then be distributed to the development team, and the old keys can be securely deleted. This process ensures that the access keys are rotated in a timely manner, without causing any disruption to the users' permissions or configurations.