ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 129 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 129
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

An external audit of a company’s serverless application reveals IAM policies that grant too many permissions. These policies are attached to the company's AWS Lambda execution roles. Hundreds of the company's Lambda functions have broad access permissions such as full access to Amazon S3 buckets and Amazon DynamoDB tables. The company wants each function to have only the minimum permissions that the function needs to complete its task.

A solutions architect must determine which permissions each Lambda function needs.

What should the solutions architect do to meet this requirement with the LEAST amount of effort?

  • A. Set up Amazon CodeGuru to profile the Lambda functions and search for AWS API calls. Create an inventory of the required API calls and resources for each Lambda function. Create new IAM access policies for each Lambda function. Review the new policies to ensure that they meet the company's business requirements.
  • B. Turn on AWS CloudTrail logging for the AWS account. Use AWS Identity and Access Management Access Analyzer to generate IAM access policies based on the activity recorded in the CloudTrail log. Review the generated policies to ensure that they meet the company's business requirements.
  • C. Turn on AWS CloudTrail logging for the AWS account. Create a script to parse the CloudTrail log, search for AWS API calls by Lambda execution role, and create a summary report. Review the report. Create IAM access policies that provide more restrictive permissions for each Lambda function.
  • D. Turn on AWS CloudTrail logging for the AWS account. Export the CloudTrail logs to Amazon S3. Use Amazon EMR to process the CloudTrail logs in Amazon S3 and produce a report of API calls and resources used by each execution role. Create a new IAM access policy for each role. Export the generated roles to an S3 bucket. Review the generated policies to ensure that they meet the company’s business requirements.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by zhangyu20000 at Jan. 16, 2023, 2:38 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
God_Is_Love
Highly Voted 2 years, 2 months ago
Selected Answer: B
Access Analyzer uses automated reasoning to analyze resource policies and detect issues such as overly permissive access or violations of organizational security policies. It works by examining the policies attached to AWS resources, such as S3 buckets, IAM roles, and KMS keys, and identifying any potential security risks or policy violations.
upvoted 14 times
God_Is_Love
2 years, 2 months ago
fyi ML tool - CodeGuru has two main components: CodeGuru Reviewer and CodeGuru Profiler. CodeGuru Reviewer is a code review service that uses machine learning to identify code quality issues and security vulnerabilities in your application's source code. It analyzes the code and provides recommendations for improvements based on best practices, industry standards, and AWS experience. CodeGuru Profiler is a profiling tool that uses machine learning to identify performance issues in your application code at runtime. It continuously analyzes the performance characteristics of your application code and provides recommendations for optimization.
upvoted 7 times
...
...
amministrazione
Most Recent 8 months, 2 weeks ago
B. Turn on AWS CloudTrail logging for the AWS account. Use AWS Identity and Access Management Access Analyzer to generate IAM access policies based on the activity recorded in the CloudTrail log. Review the generated policies to ensure that they meet the company's business requirements.
upvoted 1 times
...
cox1960
1 year, 3 months ago
poor since B only works when functions are actually triggered and all the branches of the code are covered.
upvoted 1 times
...
career360guru
1 year, 4 months ago
Selected Answer: B
Option B is obvious choice
upvoted 1 times
...
atirado
1 year, 4 months ago
Selected Answer: B
When approaching questions related to access permissions, it will always help to determine who is accessing what, in this case, it is Lambda functions accessing AWS services (S3 buckets and DynamoDB table). The choice between A,B and C,D is then based on knowing that Code Guru and Access Analyzer used an automated process to detect issues in code and to compare actual access versus permissions - least effort than C & D. That last bit is where the kicker is. The question refers to IAM execution roles with too-broad AWS IAM permissions to access AWS services and resources: You are looking for the option that tightens IAM policies rather than in AWS Lambda Function code.
upvoted 2 times
...
NikkyDicky
1 year, 10 months ago
Selected Answer: B
B - basic access analyzer use case
upvoted 1 times
...
SkyZeroZx
1 year, 11 months ago
Selected Answer: B
keyword == Access Management Access Analyzer to generate IAM
upvoted 1 times
...
Alabi
1 year, 11 months ago
Selected Answer: B
B definitely
upvoted 1 times
...
mfsec
2 years, 1 month ago
Selected Answer: B
B - Identity and Access Management Access Analyzer
upvoted 1 times
...
zozza2023
2 years, 3 months ago
Selected Answer: B
Identity and Access Management Access Analyzer
upvoted 1 times
...
masetromain
2 years, 3 months ago
Selected Answer: B
The correct answer is B. Turn on AWS CloudTrail logging for the AWS account, and use AWS Identity and Access Management Access Analyzer to generate IAM access policies based on the activity recorded in the CloudTrail log. Review the generated policies to ensure that they meet the company's business requirements. This is the least amount of effort as it makes use of AWS services that can automatically analyze the CloudTrail logs, generate the IAM policies, and provide a report for the review process. Option A and D both involve additional steps such as running scripts or using Amazon EMR, which would take more effort to set up and maintain. Option C is similar to option A and D but doesn't use any AWS services to help with the process.
upvoted 3 times
...
zhangyu20000
2 years, 3 months ago
B is correct
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago