ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 306 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 306
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A security engineer recently rotated all IAM access keys in an AWS account. The security engineer then configured AWS Config and enabled the following AWS
Config managed rules; mfa-enabled-for-iam-console-access, iam-user-mfa-enabled, access-key-rotated, and iam-user-unused-credentials-check.
The security engineer notices that all resources are displaying as noncompliant after the IAM GenerateCredentialReport API operation is invoked.
What could be the reason for the noncompliant status?

  • A. The IAM credential report was generated within the past 4 hours.
  • B. The security engineer does not have the GenerateCredentialReport permission.
  • C. The security engineer does not have the GetCredentialReport permission.
  • D. The AWS Config rules have a MaximumExecutionFrequency value of 24 hours.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by roger8978 at Jan. 1, 2022, 7:56 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
James2022
Highly Voted 3 years, 4 months ago
Selected Answer: A
See: https://aws.amazon.com/premiumsupport/knowledge-center/config-credential-report/
upvoted 9 times
...
hro
Most Recent 1 year, 1 month ago
D - Maybe I am interpreting the question incorrectly. But according to the following (see below), it cant be A because this answer deals with the report and not the noncompliant status. A report would have been downloaded regardless of compliance status. D seems to relate to the noncompliant status message based on the following link provided above. Source: https://aws.amazon.com/blogs/mt/managing-aged-access-keys-through-aws-config-remediations/
upvoted 1 times
...
Raphaello
1 year, 2 months ago
Selected Answer: A
A. You can generate a credential report as often as once every four hours https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html
upvoted 1 times
...
amaltare
2 years ago
Selected Answer: A
supporting link https://repost.aws/knowledge-center/config-credential-report
upvoted 1 times
...
awsec2
2 years, 4 months ago
The reason for the noncompliant status could be that the IAM credential report was generated within the past 4 hours. When the IAM GenerateCredentialReport API operation is invoked, it takes about 4 hours for the report to be generated and made available for use. Until the report is generated, all resources will be displayed as noncompliant. Option A is correct because it correctly identifies the cause of the noncompliant status.
upvoted 4 times
Jimmy123
2 years, 3 months ago
Option D is the correct answer. The AWS Config rules have a MaximumExecutionFrequency value of 24 hours, which means that the IAM GenerateCredentialReport API operation must be invoked every 24 hours in order for the resources to be compliant. If the operation is invoked less frequently than this, the resources will display as noncompliant.
upvoted 1 times
...
...
Radhaghosh
3 years, 3 months ago
Option is A This Question is tricky and not explicitly mentioned everything.
upvoted 4 times
...
Radhaghosh
3 years, 3 months ago
Option A
upvoted 3 times
...
sam_live
3 years, 3 months ago
Option D specifies the maximum frequency for the rule to run, therefore it's not the reason for generating non-compliance event. to not get non-compliance status one can increase the frequency to 6, 12, or 24 hours. Option A is correct.
upvoted 3 times
...
CarisB
3 years, 3 months ago
"Earlier this month" means to me that the key rotation has been performed many days ago, so A doesn't seem relevant to me : the 4-hours-ago report should show compliancy the the rotation of the keys.
upvoted 4 times
...
f4bi4n
3 years, 4 months ago
A: The credential report checks if a report was generated within the past four hours. If the AWS config rules are triggered every 1-4 hours, a cached copy of the credential report is downloaded after 4 hours pass. For more information, see Getting credential reports for your AWS account. https://aws.amazon.com/premiumsupport/knowledge-center/config-credential-report/
upvoted 2 times
...
remyy
3 years, 4 months ago
Selected Answer: A
https://docs.aws.amazon.com/config/latest/developerguide/access-keys-rotated.html
upvoted 1 times
...
roger8978
3 years, 4 months ago
D?.....
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago