🔥 3-day streak
AWS Certified DevOps Engineer - Professional175 / 204
Question 175 of 204

A company uses AWS IAM Identity Center (successor to AWS SSO) with permission sets federated from an external identity provider. A compliance auditor requires that all human access to production accounts must automatically expire after a maximum of 1 hour and that every console and CLI action performed through federated access is captured in a tamper-evident, centrally aggregated audit trail. Currently, permission sets grant an 8-hour session and CloudTrail is enabled only in each member account. Which combination of changes BEST meets these requirements with the least ongoing operational effort?

Reviewed for accuracy · Report an issueNext question