Table of Contents
Question
A company uses AWS Organizations to manage 20 AWS accounts. The company has a new requirement to enforce IAM access key rotation every 90 days. Currently, the company uses the access keys to connect to Amazon EC2 instances. The company uses the organization’s management account to manage the IAM users of all the accounts. A security administrator needs to develop a solution for the key rotation. Which solution will meet these requirements?
A. Add an automatic remediation option to an AWS Config rule for access key rotation. Create an AWS Systems Manager Automation runbook. Use AWS CloudFormation StackSets to deploy the runbook. Activate the AWS Config rule. Link the runbook as the automatic remediation step.
B. Add an automatic remediation option to an AWS Config rule for access key rotation. Create an AWS Systems Manager Automation runbook. Use AWS CloudFormation change sets to deploy the runbook. Activate the AWS Config rule. Link the runbook as the automatic remediation step.
C. Add an automatic remediation option to an AWS Systems Manager rule for access key rotation. Create a Systems Manager Automation runbook. Use AWS CloudFormation StackSets to deploy the runbook. Activate the Systems Manager rule. Link the runbook as the automatic remediation step.
D. Add an automatic remediation option to an AWS Systems Manager rule for access key rotation. Create a Systems Manager Automation runbook. Use AWS CloudFormation change sets to deploy the runbook. Invoke an AWS Lambda function to link the runbook as the automatic remediation step.
Answer
A. Add an automatic remediation option to an AWS Config rule for access key rotation. Create an AWS Systems Manager Automation runbook. Use AWS CloudFormation StackSets to deploy the runbook. Activate the AWS Config rule. Link the runbook as the automatic remediation step.
Explanation
The correct answer is A. Add an automatic remediation option to an AWS Config rule for access key rotation. Create an AWS Systems Manager Automation runbook. Use AWS CloudFormation StackSets to deploy the runbook. Activate the AWS Config rule. Link the runbook as the automatic remediation step.
In order to enforce IAM access key rotation every 90 days across all the AWS accounts under the organization, you need to automate the process using the right combination of AWS services.
First, create an AWS Config rule to check for access key rotation. AWS Config rules can evaluate the compliance of your resources (in this case, IAM access keys) against best practices or custom rules. In this scenario, you will create a custom AWS Config rule with a trigger to evaluate your IAM users’ access keys age every 24 hours and check if they are older than 90 days.
Next, create an AWS Systems Manager Automation runbook to automatically rotate the access key for any non-compliant IAM users detected by the AWS Config rule. The runbook will contain a workflow that helps in automating the key rotation process.
Now, use AWS CloudFormation StackSets to deploy the runbook across all the AWS accounts under the organization. AWS CloudFormation StackSets simplifies the process of deploying resources to multiple accounts and Regions at once, ensuring that all the linked accounts will have the runbook provisioned.
Afterward, activate the AWS Config rule to start evaluating your IAM users’ access key rotation. Whenever the AWS Config rule detects a non-compliant IAM user (i.e., an access key older than 90 days), it will trigger the automatic remediation step by invoking the AWS Systems Manager Automation runbook.
Finally, linking the runbook to the AWS Config rule as the automatic remediation step ensures that the runbook will be executed whenever a non-compliant IAM user is detected, effectively meeting the requirement of enforcing IAM access key rotation every 90 days.
Reference
- access-keys-rotated – AWS Config (amazon.com)
- AWS Systems Manager Automation – AWS Systems Manager (amazon.com)
- Managing aged access keys through AWS Config remediations | AWS Cloud Operations & Migrations Blog (amazon.com)
- AWS Access Credential Rotation | AWS News Blog (amazon.com)
- Config Rules: IAM Access Keys Rotated Check (asecure.cloud)
- Systems Manager Automation runbook reference – Amazon Systems Manager Automation runbook reference (amazonaws.cn)
- Systems Manager Automation runbook reference – AWS Systems Manager (amazon.com)
- How to Rotate Access Keys for AWS IAM Users – Blink (blinkops.com)
- Automatically rotate IAM user access keys at scale with AWS Organizations and AWS Secrets Manager – AWS Prescriptive Guidance (amazon.com)
- What “Rotating” IAM Access Keys really means in AWS… (linkedin.com)
- AWS Identity and Access Management and AWS Organizations – AWS Organizations (amazon.com)
- How to Rotate Access Keys for IAM Users | AWS Security Blog (amazon.com)
Amazon AWS Certified Security – Specialty certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Security – Specialty exam and earn Amazon AWS Certified Security – Specialty certification.