The correct answer is D. The AWS Config rules have a MaximumExecutionFrequency value of 24 hours.
According to the AWS documentation1, the MaximumExecutionFrequency parameter specifies the maximum frequency with which AWS Config runs evaluations for a rule. For AWS Config managed rules, this value can be one of the following:
One_Hour
Three_Hours
Six_Hours
Twelve_Hours
TwentyFour_Hours
If the rule is triggered by configuration changes, it will still run evaluations when AWS Config delivers the configuration snapshot. However, if the rule is triggered periodically, it will not run evaluations more often than the specified frequency.
In this case, the security engineer enabled four AWS Config managed rules that are triggered periodically. Therefore, these rules will only run evaluations every 24 hours, regardless of when the IAM credential report is generated. This means that the resources will display as noncompliant until the next evaluation cycle, which could take up to 24 hours after the IAM access keys are rotated.
The other options are incorrect because:
A. The IAM credential report can be generated at any time, but it will not affect the compliance status of the resources until the next evaluation cycle of the AWS Config rules.
B. The security engineer was able to invoke the IAM GenerateCredentialReport API operation, which means they have the GenerateCredentialReport permission.This permission is required to generate a credential report that lists all IAM users in an AWS account and their credential status2.
C. The security engineer does not need the GetCredentialReport permission to enable or evaluate AWS Config rules.This permission is required to retrieve a credential report that was previously generated by using the GenerateCredentialReport operation2.
[References:, 1:AWS::Config::ConfigRule - AWS CloudFormation2:IAM: Generate and retrieve IAM credential reports, , , , , ]
