AWS Account Administrator - Audit and Report for Unused IAM Roles

Answer: A.

Option A is CORRECT because AWS IAM Access Advisor provides permission guardrails to help control which services your developers and applications can access.

By analyzing the last accessed information, you can determine the services not used by IAM users and roles.

Option B is incorrect because GuardDuty is a threat detection service.

Option C is incorrect because using CloudTrail does not provide the most efficient way to accomplish the task.

Option D is incorrect because AWS Resource Access Manager is a service for securing shared access to AWS resources across multiple AWS accounts.

Option E is incorrect because AWS Config is a service for controlling the configurations of AWS resources.

AWS IAM access advisor uses data analysis to help you set permission guardrails confidently by providing service last accessed information for your accounts, organizational units (OUs), and your organization managed by AWS Organizations.

You can implement permissions guardrails using service control policies (SCPs) that restrict access to those services.

Reference:

https://aws.amazon.com/about-aws/whats-new/2019/06/now-use-iam-access-advisor-with-aws-organizations-to-set-permission-guardrails-confidently/

The AWS service that can be used to accomplish this task is "AWS IAM Access Advisor."

IAM Access Advisor is a feature in the AWS Identity and Access Management (IAM) service that helps you identify which of your IAM roles and AWS resources are not being used and provides guidance on how to remove unused permissions.

To audit and create a report of all services that have not been used in the IAM role "DevOps_Admin" in the past 6 months, you can use IAM Access Advisor to generate an access report. The access report will show you the last time each IAM user, group, or role accessed each service, and you can filter the report to show only the services accessed by the "DevOps_Admin" role. By sorting the results by last access time, you can easily identify the services that have not been used in the past 6 months by this role.

AWS GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. It is not designed for the specific task of auditing unused services in an IAM role.

AWS CloudTrail is a service that provides a record of actions taken by a user, role, or AWS service in your AWS account. It can be used to audit the activity of the "DevOps_Admin" role, but it does not provide information about which services have been used or not used.

AWS Resource Access Manager (RAM) is a service that enables you to share AWS resources with other AWS accounts. It is not designed for the specific task of auditing unused services in an IAM role.

AWS Config is a service that provides a detailed inventory of the AWS resources in your account and the configuration history of those resources. While it can be used to track changes to resources used by the "DevOps_Admin" role, it does not provide information about which services have been used or not used.