Exam AWS Certified Security - Specialty topic 1 question 59 discussion

A & E is correct For E - (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html) "f your users use access keys to access AWS programmatically you can refer to access key last used information because it is accurate for all dates."

Agreed, A and E are correct. All activities of an IAM user can be monitored using aws cloudtrail.

"assess the impact of the key exposure" A. CloudTrail will help assessing impact through reviewing API calls issued. B. CloudWatch Logs will help assessing impact through reviewing activities made. E. IAM report will show only details about CREDENTIALS. Won't help with assessing impact ofc. Answers AB are correct.

A- Use Cloudtrail for visibility into user behaviors and API activity. E- You can use AWS Identity and Access Management (IAM) credential reports to help you meet the security, auditing, and compliance requirements of your organization. Credential reports provide a list of all the users in your AWS accounts and show the status of their credentials, such as passwords, access keys, and multi-factor authentication (MFA) devices.

Question specifically mentions assess the impact of key exposure and ensure credentials were not misused. Option E might give the last accessed but doesn't satisfy what the question is asking.

With E only see last access, you don't see event details and what the user performed is not there. So the answer it A and D. Report is batch process.

A. yes - you can get api/caller identity historically B. yes - cloud watch insights, simple tool to do basic query and export C. AWS Trusted Advisor - no, as you can't get a credential report D. AWS Config for IAM user activity - again, it's not possible to get a report E. credential report from IAM - yed, but you can see when a cred was used last, which is not helpfull in this case

A - obvious Between D & E: I would go for D as it provides details of missuse via change in resource detected in AWS Config. E- Just provides use of the key by someone but not indicate missuse.

A is obvious, for E, here are some info you can get from the report: access_key_1_last_used_date The date and time, in ISO 8601 date-time format, when the user's access key was most recently used to sign an AWS API request. When an access key is used more than once in a 15-minute span, only the first use is recorded in this field. access_key_1_last_used_service The AWS service that was most recently accessed with the access key. The value in this field uses the service's namespace—for example, s3 for Amazon S3 and ec2 for Amazon EC2. When an access key is used more than once in a 15-minute span, only the first use is recorded in this field.

I choose options A and E.

A & E is correct E: it wloud provide the last accessed time

A * E is correct

I do A and D for this kind of incident, use A for quick identifying what the key is used for; D for easy viewing the details of what has been changed (will A should reveal the changes too but a little bit harder to read) E. does not very useful for this situation B. CouldWatch is not for API call auditing. C. Tresterd Advisor does not provide such report.

Correct answers are A and E

extent of the key exposure's effect confirm that the credentials were not misused Means, if there are resources changed, it must be discovered. If any data is accessed, it must be identified A, D E - will not give details on misuse. Only details last used, what if multiple people used it, as it publicly exposed.

AWS Credentials report will give when the Key was last used and from which region. But CloudWatch Log Insight& CloudTrail will give the activity history. Refer this link https://aws.amazon.com/premiumsupport/knowledge-center/view-iam-history/ Correct Answer A & B

A&B are right