Question 30
Domain 1: Design Solutions for Organizational ComplexityAn architect needs to identify unintended external access to resources in an AWS environment. Which AWS service is designed specifically for analyzing resource policies and highlighting access granted outside the organization?
Correct answer: B
Explanation
Use IAM Access Analyzer to detect resource policies that allow access from outside the intended AWS account or organization. CloudTrail records activity, Security Hub aggregates findings, and Inspector assesses workloads for vulnerabilities. — AWS security, identity, and compliance tools: AWS CloudTrail, IAM Access Analyzer, AWS Security Hub, Amazon Inspector
Why each option is right or wrong
A. AWS CloudTrail
CloudTrail records API activity and account events; it does not analyze resource policies for external access.
B. AWS Identity and Access Management Access Analyzer
IAM Access Analyzer is the AWS service intended to analyze resource-based policies and identify access granted to principals outside the AWS account or organization, which matches the requirement to find unintended external access.
C. AWS Security Hub
Security Hub centralizes and correlates security findings; it is not the primary policy analysis service for external resource access.
D. Amazon Inspector
Amazon Inspector assesses workloads for software vulnerabilities and exposure; it does not focus on resource policy analysis.