A Security Engineer must design a solution that enables the incident Response team to audit for changes to a user's IAM permissions in the case of a security incident. How can this be accomplished?
A.
Use AWS Config to review the IAM policy assigned to users before and after the incident.
B.
Run the GenerateCredentialReport via the AWS CLI, and copy the output to Amazon S3 daily for auditing purposes.
C.
Copy AWS CloudFormation templates to S3, and audit for changes from the template.
D.
Use Amazon EC2 Systems Manager to deploy images, and review AWS CloudTrail logs for changes.
Agreed. Answer is A. However, this will require the admin to first create an AWS config rule to record the IAM use changes. AWS config will not record those changes by default. https://aws.amazon.com/blogs/security/how-to-record-and-govern-your-iam-resource-configurations-using-aws-config/
Answer A seems the right one, but Is that comment right?
In the link you passed and in the documentation says that Config records all configuration changes by default on IAM.
So I don't think it is needed to add a rule to get this data.
here are 2 points that make B wrong: 1 GenerateCredentialReport , is related to passwords and not about roles and policies as requested https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html . 2. They want to check the incident only when there is a problem and in B you are taking action every week.
couldn't find any field relating to the IAM permission changes in credentials reports (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html#id_credentials_understanding_the_report_format)
I'm going with A, because of the statement "in case of a security event".
When using B, you'll end up filling storage with logs and only when something happens, will you need to review. It's not asking for continuous logging but rather a way to audit logs "When" something happens.
B works , just not for the scenario they're painting
I think that A and B is correct, B is because running the GenerateCredentialReport via the AWS CLI, and copying the output to Amazon S3 daily for auditing purposes, allows the incident response team to view a user's IAM permissions over time. This can help identify changes that were made that could be related to the incident. Additionally, by copying the report to Amazon S3, the incident response team will have a secure and durable storage location for the audit logs and it's important to note that AWS Config and CloudTrail logs can also be used to view changes in IAM policies, but the Credential Report provides a more detailed and user-centric view of IAM permissions, which can be useful in incident investigations.
Hello. In my opinion, B is wrong. There are 2 points that make it wrong: 1 GenerateCredentialReport , is related to passwords and not about roles and policies as requested https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html . 2. They want to check the incident only when there is a problem and in B you are taking actions every week.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
josellama2000
Highly Voted 3 years, 7 months agoJG8888
2 years, 11 months agocloudguy365
Highly Voted 3 years, 7 months ago0x00infosec
Most Recent 7 months agoBenah
1 year, 7 months agoLeem29
1 year, 11 months agomatrpro
2 years agoyd_h
2 years agoAWS_Noob
2 years, 2 months agoIlMettics
2 years, 3 months agomatrpro
2 years agoMr__
2 years, 7 months agoRaySmith
3 years, 2 months agolotfi50
3 years, 3 months agojj22222
3 years, 3 months agojj22222
3 years, 4 months agosanjaym
3 years, 5 months agonasreenazad57
3 years, 6 months agodevjava
3 years, 6 months ago