Question #921
Which AWS service or feature allows administrators to determine which resources were potentially accessible by an IAM user during a specific date range?
Amazon S3 access control lists (ACLs)
AWS Certificate Manager (ACM)
Network Access Analyzer
AWS Identity and Access Management Access Analyzer
Explanation
The correct answer is D. AWS Identity and Access Management (IAM) Access Analyzer helps identify resources that a specified IAM user or role could potentially access during a specific time frame. It evaluates permissions granted by IAM policies and resource-based policies (e.g., S3 bucket policies) as they existed historically, enabling administrators to audit access retrospectively. This is critical for security reviews and compliance.
Why other options are incorrect:
- A (Amazon S3 ACLs): S3 ACLs manage access control for S3 resources but do not provide a way to audit historical access across AWS services.
- B (AWS Certificate Manager): ACM handles SSL/TLS certificates and has no relation to access auditing.
- C (Network Access Analyzer): This service identifies unintended network paths but does not track IAM user access to resources.
Key Points:
- IAM Access Analyzer evaluates permissions retroactively using historical policy data.
- It covers cross-service resource access, not limited to S3 or network configurations.
- The feature supports compliance by enabling audits of past permissions.
Answer
The correct answer is: D