SAP-C02 Question #384: Real Exam Question with Answer & Explanation

Question

An external audit of a company's serverless application reveals IAM policies that grant too many permissions. These policies are attached to the company's AWS Lambda execution roles. Hundreds of the company's Lambda functions have broad access permissions, such as full access to Amazon S3 buckets and Amazon DynamoDB tables. The company wants each function to have only the minimum permissions that the function needs to complete its task. A solutions architect must determine which permissions each Lambda function needs. What should the solutions architect do to meet this requirement with the LEAST amount of effort?

Options

• ASet up Amazon CodeGuru to profile the Lambda functions and search for AWS API calls. Create
• BTurn on AWS CloudTrail logging for the AWS account. Use AWS Identity and Access
• CTurn on AWS CloudTrail logging for the AWS account. Create a script to parse the CloudTrail log,
• DTurn on AWS CloudTrail logging for the AWS account. Export the CloudTrail logs to Amazon S3.

Explanation

IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. IAM Access Analyzer identifies resources shared with external principals by using logic-based reasoning to analyze the resource- based policies in your AWS environment. https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html

No community discussion yet for this question.