A large enterprise has 200 AWS accounts organized under AWS Organizations. The central security team needs to audit all IAM role trust policies across accounts to ensure no cross-account roles allow external principals. Which approach is most efficient and scalable?
Config aggregator allows querying across all accounts.
Why this answer
Option D is correct because using AWS Config advanced queries across accounts with aggregation is scalable. Option A is wrong because manual review is not scalable. Option B is wrong because Trusted Advisor does not cover custom policies.
Option C is wrong because IAM Access Analyzer identifies external access but does not provide a full audit of trust policies.