Question #1104
Which AWS service provides visibility into IAM roles that are shared across multiple AWS accounts by analyzing resource-based policies for external access?
AWS Config
AWS CloudTrail
AWS Identity and Access Management Access Analyzer
AWS Organizations
Explanation
The correct answer is C. AWS Identity and Access Management Access Analyzer.
Why C is Correct:
IAM Access Analyzer helps identify resources (like IAM roles, S3 buckets, KMS keys, etc.) that are shared with external entities, including other AWS accounts. It analyzes resource-based policies (e.g., IAM role trust policies) to detect cross-account access, providing visibility into potential security risks. This aligns directly with the question's focus on identifying shared IAM roles across accounts.
Why Other Options Are Incorrect:
- A. AWS Config: Tracks resource configuration and compliance over time but does not analyze policies for external access.
- B. AWS CloudTrail: Logs API activity for auditing purposes but does not evaluate resource-based policies for cross-account sharing.
- D. AWS Organizations: Manages multiple AWS accounts centrally (e.g., consolidated billing, service control policies) but does not analyze resource policies.
Key Points:
- IAM Access Analyzer focuses on identifying unintended resource access via policy analysis.
- Resource-based policies (e.g., S3 bucket policies, IAM role trust policies) are the primary targets of Access Analyzer.
- Cross-account access detection is a core feature of Access Analyzer.
Answer
The correct answer is: C