Exam AWS Certified Developer Associate topic 1 question 20 discussion

"As an administrator or developer, you might grant permissions to IAM entities (users or roles) beyond what they require. IAM provides several options to help you refine the permissions that you grant. One option is to generate an IAM policy that is based on access activity for an entity. IAM Access Analyzer reviews your AWS CloudTrail logs and generates a policy template that contains the permissions that the entity used in your specified date range. You can use the template to create a policy with fine-grained permissions that grant only the permissions that are required to support your specific use case." https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_generate-policy.html

I'm not sure between A and B. While it doesn't specify, another service (EC2 instance) could be sharing that role and CloudTrail would show actions from that other service using this IAM role as well. I am leaning towards A, just because the answer of B is "includes all actions", sounds like there would be more actions than required

A) Eliminated: This is not fast because it requires you to manually determine which services were involved in deployments over the last 3 months

I think D

I think it is A. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_generate-policy.html

i think so A

I think is B

The Keyword fastest is very confusing if B is the answer because its fast . B is faster than D as in we need to build a soltuion using S3 and Athena but you still have to go through 3 months logs manually to see what all has been accessed , however if we build a solution on S3 and Athena the solution comes out in couple of minutes via a simple query . So which one is really fast ?

The fastest way to create a custom IAM policy for the EC2 instance to meet this requirement is B. Create a new IAM policy that includes all actions that AWS CloudTrail recorded for the IAM role in the last 3 months. This approach allows you to quickly identify the actions that were actually used by the build server and create a policy that provides only the required permissions.

The safest would be to do what "A" says to do + collect the minumum access for each of the services. However, the question says FASTEST which makes option B to be the answer. Mind that if some undue access was done in the past 3 months, the permission will still persist, violating the principle of least access privilege

A. Create a new IAM policy based on services that the build server deployed or updated in the last 3 months. The fastest way to create a custom IAM policy for the EC2 instance to meet the requirement would be to create a new IAM policy based on the services that the build server deployed or updated in the last 3 months. This information should be readily available and can be used to determine the specific actions and resources that the build server requires access to. Once this information has been gathered, you can create a new IAM policy that grants only the necessary permissions to the EC2 instance's IAM role. This approach is faster than the other options because it requires only a review of the build server's recent activity, rather than a more complex analysis of AWS CloudTrail logs.

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_generate-policy.html

B is the answer, my logic: A.Create a new IAM policy based on services that the build server deployed or updated in the last 3 months. - Services isn’t very specific, there are multiple different IAM actions that can be performed on each service. Additionally there is no method to achieve what is required. B. Create a new IAM policy that includes all actions that AWS CloudTrail recorded for the IAM role in the last 3 months. - Cloudtrail will record these requests. Cloudtrail has 90 day retention by default, so this is an accurate answer. C. Create a new permissions boundary policy that denies all access. Associate the permissions boundaries with the IAM role. - IAM permissions boundaries have no relevance here, permissions boundaries don’t grant access. D. Create a new IAM policy by using Amazon Athena to query an Amazon S3 bucket that contains AWS CloudTrail events that the IAM role performed in the last 3 months - This is a the best architected solution, but the question is FASTEST, and this is not the fastest method.

D talk about events not actions

Should be A. Digging through CloudTrail log to find out all action does not sound fast enough for me. Again, the question mentioned the Intance role that EC2 using is for Admin, and this could includes more than enough action that will be included in the CloudTrail Log. Besides, the answer A bounds only resouces that was actually used from the team.

Access analyzer reviews cloudtrail logs and generate a template policy that can be further refined to restrict access

The question is asking a way to create a policy with meet the requirement. Using Athena with CloudTrail logs is a powerful way to enhance your analysis of AWS service activity. But in here , no metioned to ask a good analysis tools or way for the logs. https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html