The requirement has two parts: (1) continuously or regularly evaluate IAM access key age against a 90-day policy, and (2) remediate noncompliant keys by disabling and deleting them. The least operational effort generally comes from using managed compliance evaluation and lightweight serverless remediation.

AWS Config is designed to assess resource configuration compliance over time. Using an AWS Config rule to check access key age fits the governance model because Config maintains a compliance history, supports central reporting, and can evaluate keys across an account (and commonly across an organization with aggregation patterns). After detection, remediation should be automated with minimal infrastructure, and AWS Lambda is the lightest operational tool for directly calling IAM APIs (UpdateAccessKey to Inactive, then DeleteAccessKey) on a schedule.

Option C pairs these appropriately: Config performs compliance evaluation, and an EventBridge scheduled rule triggers a Lambda function to remediate keys older than 90 days. This avoids running and maintaining compute fleets or batch infrastructure. It also provides clear separation of duties: Config for detection and evidence, Lambda for corrective action.

Options A, B, and D rely on AWS Batch, which introduces additional operational overhead (compute environments, job definitions, queues, scaling, and monitoring) that is unnecessary for a simple IAM housekeeping task. Also, EventBridge by itself is not a compliance evaluation service; it can schedule a job, but it does not inherently track “key age” state or compliance posture the way Config does.

Therefore, C best meets the requirement with the least operational effort by using Config for continuous compliance visibility and a scheduled Lambda for automated key deactivation and deletion.