AWS Certified Cloud Practitioner

Explanation

AWS IAM Access Analyzer is the correct service for identifying unused access granted to users in AWS accounts. Here's why:

Key Features of AWS IAM Access Analyzer:

• Access Analysis: Analyzes resource policies and identifies resources that are shared with external entities
• Unused Access Detection: Helps identify unused IAM roles, users, and permissions over time
• Policy Validation: Validates IAM policies against security standards
• Continuous Monitoring: Continuously monitors for new or updated access patterns

Why Other Options Are Incorrect:

• AWS CloudTrail: Records API activity and governance for auditing purposes, but doesn't specifically identify unused access
• AWS IAM Identity Center: Manages single sign-on access to multiple AWS accounts and applications, but doesn't analyze unused permissions
• AWS Trusted Advisor: Provides cost optimization, performance, security, and fault tolerance recommendations, but doesn't specifically focus on unused access analysis

How IAM Access Analyzer Works:

1. Analyzes resource-based policies across your AWS environment
2. Identifies resources shared with external principals
3. Provides findings that show where access is granted but potentially unused
4. Helps organizations maintain the principle of least privilege by removing unnecessary permissions

This service is specifically designed to help organizations identify and remediate overly permissive access, making it the ideal choice for this use case.