The security team has found that an IAM role is shared with an external entity unexpectedly.
To detect similar issues, your manager asks you to configure a mechanism to identify unintended access to resources and data for IAM, S3, KMS and Secret Manager.
Which of the below AWS services would you choose to configure it?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer: A.
Option A is CORRECT because IAM Access Analyzer can be used to monitor access to resources.
It can identify security risks if there is unintended access to your AWS resources and data.
Option B is incorrect because Service Control Policies control permissions for entities are used in an AWS Organization member accounts.
It cannot detect unintended access.
Option C is incorrect because Credential Report is used to list all the account's users and the status of credentials.
It cannot identify unintended access automatically.
Option D is incorrect because AWS Inspector is a tool to determine the security state of EC2 instances.
But it cannot check unexpected access for other resources such as S3.
Reference:
https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.htmlThe AWS service that can be used to identify unintended access to resources and data for IAM, S3, KMS, and Secret Manager is the IAM Access Analyzer.
IAM Access Analyzer is a security service that can be used to identify the resources in an AWS account that can be accessed from outside the account, including resources that can be accessed through resource-based policies, IAM roles, and IAM policies. It uses automated reasoning to analyze resource policies and help identify potential unintended access to resources.
Service Control Policies (SCP) are used to manage permissions in AWS Organizations, to set permission boundaries that restrict the actions that can be taken by members of an organization. SCPs are not used to identify unintended access to resources and data in an AWS account.
The Credential Report is a tool that generates a report that lists all of the IAM users and their credential status, including passwords, access keys, and MFA devices. This report is useful for auditing and monitoring IAM users, but it is not used to identify unintended access to resources and data in an AWS account.
AWS Inspector is a security assessment service that helps improve the security and compliance of applications deployed on AWS. It is not used to identify unintended access to resources and data in an AWS account.
In summary, IAM Access Analyzer is the AWS service that should be configured to identify unintended access to resources and data for IAM, S3, KMS, and Secret Manager.