A is the Right Answer
A year’s time is generally too long a gap for conducting security audits.
The AWS Documentation mentions the following
You should audit your security configuration in the following situations:
- On a periodic basis.
- If there are changes in your organization, such as people leaving.
- If you have stopped using one or more individual AWS services. This is important for removing permissions that users in your account no longer need.
- If you’ve added or removed software in your accounts, such as applications on Amazon EC2 instances, AWS OpsWorks stacks, AWS CloudFormation templates, etc.
- If you ever suspect that an unauthorized person might have accessed your account.
Option B is invalid because conducting audit when new instances are added to your account is a good security practice.
Option C is invalid because if you feel unauthorized access is occured for your account , then by all means conduct a security audit.
Option D is invalid because whenever there are any sort of changes in an organization , you should conduct a security audit.
For more information on Security Audit guideline, please visit the below URL
So, The correct answer is: Conduct an audit on a yearly basis