ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 302 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 302
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company has a new AWS account that does not have AWS CloudTrail configured. The account has an IAM access key that was issued by AWS Security Token
Service (AWS STS). A security engineer discovers that the IAM access key has been compromised within the last 24 hours.
The security engineer must stop the compromised IAM access key from being used. The security engineer also must determine which activities the key has been used for so far.
What should the security engineer do to meet these requirements?

  • A. In the CloudTrail console, under CloudTrail event history, search by access key for the compromised key, with the correlated events, and identify which IAM user the key belongs to. In the IAM console, revoke all active sessions for that IAM user.
  • B. Create a new CloudTrail trail. In the CloudTrail console, under CloudTrail event history, search by access key for the compromised key, view the correlated events, and identify which IAM user the key belongs to. In the IAM console, revoke all active sessions for that IAM user.
  • C. Create a new CloudTrail trail. In the CloudTrail console, under CloudTrail event history, search by access key for the compromised key, view the correlated events, and identify which IAM role the key belongs to. In the IAM console, delete that IAM role.
  • D. In the CloudTrail console, under CloudTrail event history, search by access key for the compromised key, view the correlated events, and identify which IAM role the key belongs to. In the IAM console, revoke all active sessions for that IAM role.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by Ayusef at Jan. 1, 2022, 3:49 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Radhaghosh
Highly Voted 3 years, 4 months ago
Selected Answer: D
Create new log make no sense. Access via STS --> SO IAM role not user Correct Answer D
upvoted 13 times
...
sam_live
Highly Voted 3 years, 4 months ago
Selected Answer: D
temporary access (AWS STS) are only associated with IAM Roles. You can view the usage of the STS session in CloudTrail Event History. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html#id_credentials_temp_control-access_monitor-ct
upvoted 6 times
...
Raphaello
Most Recent 1 year, 3 months ago
Selected Answer: D
STS provide short term creds, therefore an IAM role belongs to the keys, not user. D.
upvoted 1 times
...
yorkicurke
1 year, 5 months ago
Selected Answer: A
And why i think D is wrong; Option D: because it assumes that the compromised key belongs to an IAM role. However, the scenario specifies that the key was issued by AWS Security Token Service (AWS STS), which typically issues temporary credentials to IAM users, not roles. IAM roles do not have “sessions” that can be revoked in the same way that IAM users do. Hence, this option would not effectively stop the compromised key from being used.
upvoted 1 times
...
Toptip
2 years ago
Selected Answer: D
D no doubts... STS = Role (not IAM User) Also you don't have to enable Cloudtrail to search for user activities in Cloudtrail console: Q: If I am a new AWS customer or existing AWS customer and don’t have CloudTrail set up, do I need to enable or set up anything to view my account activity? - No, nothing is required to begin viewing your account activity. You can visit the AWS CloudTrail console or AWS CLI and begin viewing up to the past 90 days of account activity.
upvoted 1 times
...
ITGURU51
2 years, 1 month ago
AWS Security Token Service (AWS STS) is a web service that enables you to request temporary, limited-privilege credentials for users. You can use these credentials to make programmatic requests for AWS resources using the AWS CLI or AWS API (using the AWS SDKs). The temporary credentials provide the same permissions as long-term security credentials, such as IAM user credentials. Therefore: D
upvoted 1 times
...
roguecloud
2 years, 4 months ago
Another UGLY question. I think it has to boil down to A. B & C = can't configure ClouTrail after the fact for this. D does not really make sense as access key is for a USER not a ROLE, the key does not "belong to" the role as the answer states (probably to through us off!). This answer Might be more correct if it mentioned "temporary security credentials."
upvoted 1 times
...
jishrajesh
2 years, 5 months ago
D is the Answer
upvoted 1 times
...
awsec2
2 years, 5 months ago
c Option A is not correct because CloudTrail must be configured first before it can be used to search for events by access key. Option C is not correct because it suggests deleting the IAM role, which may not be appropriate if the role is still needed. Option D is not correct because it suggests revoking active sessions for the IAM role, but the question states that the key belongs to an IAM user, not an IAM role.
upvoted 1 times
...
ErnstVonPappen
2 years, 9 months ago
So Sapien45 works for Amazon.
upvoted 3 times
...
sapien45
2 years, 9 months ago
Selected Answer: D
To immediately deny all permissions to any current user of role credentials : In the navigation pane, choose Roles, and then choose the name (not the check box) of the role whose permissions you want to revoke. On the Summary page for the selected role, choose the Revoke sessions tab. On the Revoke sessions tab, choose Revoke active sessions. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html
upvoted 3 times
sapien45
2 years, 9 months ago
I have exciting news for all Amazon Web Services customers! I have been waiting patiently to share this great news with all of you and finally, the wait is over. AWS CloudTrail is now enabled by default for ALL CUSTOMERS and will provide visibility into the past seven days of account activity without the need for you to configure a trail in the service to get started. This new ‘always on’ capability provides the ability to view, search, and download the aforementioned account activity through the CloudTrail Event History. https://aws.amazon.com/blogs/aws/new-amazon-web-services-extends-cloudtrail-to-all-aws-customers/
upvoted 6 times
...
...
ShortRound
3 years, 1 month ago
Selected Answer: D
I just read https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html and see that D is the best answer.
upvoted 4 times
...
ShortRound
3 years, 1 month ago
Selected Answer: A
D sounds close, but IAM keys do not belong to Roles. A is the better answer as it mentions the IAM user key.
upvoted 4 times
lotfi50
3 years ago
as the access is though STS --> it's mean Role IAM
upvoted 3 times
...
...
TigerInTheCloud
3 years, 2 months ago
Selected Answer: A
C and D are out as no key associate with IAM ole B and C are out as the new trail cannot capture the historical events. A is the only choice. CouldTrail is enabled by default without setup for any new account for many years now and the default retention has been changed from 7 to 14 and not 90 days.
upvoted 3 times
...
ceros399
3 years, 2 months ago
Selected Answer: B
B - should be the answer, first cloudtrail was not enabled, so in order to have CloudTrail information we first must enable it, D and A doesn't pass this statemend, then is about access keys which are related to users.
upvoted 1 times
mongiam
3 years, 1 month ago
CouldTrail is enabled by default without setup for any new account.
upvoted 3 times
...
...
tezawynn
3 years, 2 months ago
It says Cloudtrail is not turned on so ruled out A and D. You disable the access key, not delete the role. Thus B
upvoted 2 times
...
babaseun
3 years, 5 months ago
D,,,, I believe we revoke IAM Role for the compromised key not the user. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel