CLF-C02 Question #51: Real Exam Question with Answer & Explanation

Question

Which AWS service or resource can identify and provide reports on IAM resources in one AWS account that is shared with another AWS account?

Options

• AIAM credential report
• BAWS IAM Identity Center (AWS Single Sign-On)
• CAWS Identity and Access Management Access Analyzer
• DAmazon Cognito user pool

Explanation

AWS IAM Access Analyzer Explanation

AWS Identity and Access Management Access Analyzer (Option C) is specifically designed to continuously monitor and analyze resource-based policies to identify resources - such as S3 buckets, IAM roles, KMS keys, and Lambda functions - that are shared with external entities, including other AWS accounts, and generates detailed findings/reports on these cross-account access configurations.

Why the distractors are wrong:

• (A) IAM Credential Report only generates a list of IAM users and the status of their credentials (passwords, access keys, MFA) within a single account - it has no cross-account sharing analysis capability.
• (B) AWS IAM Identity Center (SSO) is a centralized service for managing workforce authentication and single sign-on across multiple accounts, not for identifying or reporting on shared resources.
• (D) Amazon Cognito User Pools are designed for managing end-user (customer-facing) authentication for web and mobile applications, completely unrelated to cross-account IAM resource analysis.

💡 Memory Tip: Think of IAM Access Analyzer as a "security spotlight" - it analyzes who can access your resources from outside your account's "zone of trust," making it the natural choice for any question about detecting unintended cross-account sharing.

No community discussion yet for this question.