A company has a team of developers that provisions their own resources on the AWS cloud. The developers use IAM user access keys to automate their resource provisioning and application testing processes in AWS. To ensure proper security compliance, the security team wants to automate the process of deactivating and deleting any IAM user access key that is over 90 days old.
Which solution will meet these requirements with the LEAST operational effort?
The correct answer
Use the AWS Config managed rule to check if the IAM user access keys are not rotated within 90 days. Create an Amazon EventBridge (Amazon CloudWatch Events) rule for the non-compliant keys, and define a target to invoke a custom Lambda function to deactivate and delete the keys.
Was hoping for just a touch of clarity. I understand config is the correct service to use in this case however i did not select this option because the solution mentions any key that has not been rotated in 90 days. In this case the request was any key that is over 90 days old. I was of the belief access key age is not the same as how long since the key has been rotated. I guess access key age and day since rotation is the same thing?