ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 200 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 200
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A security engineer received an Amazon GuardDuty alert indicating a finding involving the Amazon EC2 instance that hosts the company's primary website. The
GuardDuty finding received read:
UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.
The security engineer confirmed that a malicious actor used API access keys intended for the EC2 instance from a country where the company does not operate.
The security engineer needs to deny access to the malicious actor.
What is the first step the security engineer should take?

  • A. Open the EC2 console and remove any security groups that allow inbound traffic from 0.0.0.0/0.
  • B. Install the AWS Systems Manager Agent on the EC2 instance and run an inventory report.
  • C. Install the Amazon Inspector agent on the host and run an assessment with the CVE rules package.
  • D. Open the IAM console and revoke all IAM sessions that are associated with the instance profile.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by DayQuil at March 12, 2021, 11:11 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
DayQuil
Highly Voted 3 years, 9 months ago
D. It should be instance access keys/credentials. Not sure who's writing these questions, but there's really weird wording for some answer choices.
upvoted 21 times
Daniel76
3 years, 8 months ago
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html
upvoted 6 times
...
...
Raphaello
Most Recent 1 year, 4 months ago
Selected Answer: D
D seems logical. It is the correct answer.
upvoted 1 times
...
EricZhang
1 year, 8 months ago
I see the consensus is D but don't get it. D only says revoke sessions. However since the malicious actor has the access key he can always create a new session? While A blocks his access immediately?
upvoted 1 times
...
OCHT
2 years, 1 month ago
Selected Answer: D
D. Open the IAM console and revoke all IAM sessions that are associated with the instance profile. The first step should be to immediately revoke any potentially compromised access keys or IAM sessions related to the EC2 instance's instance profile, in order to prevent further API actions executed by the malicious actor using those credentials. This would help minimize any damage caused while additional investigations or mitigation steps can then be made.
upvoted 1 times
...
ITGURU51
2 years, 2 months ago
The IAM console is the right place to revoke access keys. You can also use the AWS CLI or AWS SDKs to revoke access keys.D
upvoted 1 times
...
luk3k0
2 years, 4 months ago
Selected Answer: D
Change from A to D. Because A is too passive
upvoted 1 times
...
arpgaur
2 years, 5 months ago
Answer is clearly D. it's the company's primary website that has been attacked. so you would need to act accordingly, the rest of the options are too passive.
upvoted 1 times
...
dcasabona
2 years, 11 months ago
Selected Answer: D
Option D.
upvoted 1 times
...
Jonfernz
3 years, 1 month ago
Selected Answer: D
Open the IAM console and revoke all IAM sessions that are associated with the instance profile.
upvoted 2 times
Jonfernz
3 years, 1 month ago
^^ Emphasis on "initial step" in the question. You need to terminate the connection before any/further damage is done.
upvoted 1 times
...
...
hk436
3 years, 8 months ago
D is my answer.
upvoted 1 times
...
skipbaylessfor3
3 years, 8 months ago
I think it's D, and the wording seems fine to me? If you go IAM Roles in the console and select a random instance profile, you'll see a tab called 'Revoke sessions', click on it and you'll have a button to Revoke active (IAM) sessions. Seems good enough to me
upvoted 2 times
...
Joanale
3 years, 8 months ago
this just delete the actual connection, that connection can be reenabled, answer should be A. No other choice no matter web server down in the process.
upvoted 1 times
skipbaylessfor3
3 years, 8 months ago
Your reasoning seems right but the question is asking what an immediate step should be ("what is the first step the security engineer should take?"), so as an immediate and quick action you want to revoke active sessions. Then, afterwards you can go in and check any security groups that allow inbound from 0.0.0.0/0 (or just have Config check that for you)
upvoted 2 times
...
...
DerekKey
3 years, 8 months ago
D - https://aws.amazon.com/premiumsupport/knowledge-center/resolve-guardduty-credential-alerts/
upvoted 3 times
...
[Removed]
3 years, 8 months ago
attacker already got the access keys and can use from anywhere in world, what you will get by blocking access to ec2 instance ? You can revoke all the sessions from compromised access key and inactivate/delete the key to contain the damage. Also Ec2 instance will have to go through forensics and need to contained as well, but for root cause analysis.
upvoted 2 times
...
cldy
3 years, 8 months ago
D. A will block all
upvoted 2 times
...
Ayusef
3 years, 8 months ago
I think its D.. also and yes the wording is horrific.
upvoted 2 times
...
Hudda
3 years, 9 months ago
Should not B SG first task, which is A ?
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel