Exam AWS Certified Security - Specialty topic 1 question 362 discussion

Requirement "solution that minimizes application downtime" A is the only one that updates the application before inactivating (this word actually exists!) the old credentials programmatic access.

I go for A as minimal downtime. 1. Delete any AWS Management Console credentials that are associated with the IAM user. 2. Create a new access key and secret access key pair for the IAM user. Update the application to use the new credentials. 3. Inactivate the publicly exposed IAM access key. 4. Revoke any temporary AWS Security Token Service (AWS STS) credentials that are associated with the IAM user. - step 1 wont impact application as application using access key. - IAM user can have 2 access key at same time. (step 2 then step 3)

A is correct with minimum downtime to the application.

Definitely A for lowest down time

The AWS blog post people reference state: 1. Determine what resources those credentials have access to 2. Invalidate the credentials so they can no longer be used to access your account 3. Consider invalidating any temporary security credentials that might have been issued using the credentials 4. Restore appropriate access Since this is an IAM user (and not a role), the application won't be using any temporary credentails (it's using a long term access key/secret). Based on the list above, I'd originally go C. It would cause a longer period of downtime, but would focus on deactivating the credentials *before* restoring access the application. However, it's confusing, since the question states there is no sign of compromise, and they want to minimise downtime. This would push me towards A (the fact the IAM credentials are removed first is strange). Create a second acces/secret key (IAM user can have two), update the application, then revoke/disable the other credentials. I can see both A and C being correct though, depending on the situation!

A cant be done. you first need to deactivate. So C is correct

A and D create immediate downtime. B it's not good because in the meanwhile you revoke STS and do anything, it should be created other session so it's C

C makes sense.. it's not recommended to delete the credential immediately. better to disable them.

Here are the steps that the security team can take to minimize downtime while addressing the situation: Create a new access key and secret access key pair for the IAM user. Update the application to use the new credentials. Inactivate the publicly exposed IAM access key. A

Inactivate the publicly exposed IAM access key to prevent further unauthorized access to the AWS account is the first step, answer is C for me.

A - It's the only one that has a downtime close to zero and that's the priority in this case.

C - you cant delete keys without inactivating them first. Plus, A is stating to delete console credentials, which are not the same as programmatic keys.

Credentials deletion is not recommended as the first step. Preffered way is to inactivate them first as we can always return before app is updated. This removes options A and D. Answer B suggests to revoke temporary STS tokens first and as the last step to delete credentials. Here we have a threat that between these two actions the new temporary credentials can be created. https://aws.amazon.com/es/blogs/security/what-to-do-if-you-inadvertently-expose-an-aws-access-key/ I vote for C.

Upvote for A. What secdaddy said.

if the answer is B or C, then wouldn't the last step "Delete any AWS Management Console credentials that are associated with the IAM user." remove the new access keys that were just created ?

C is the right answer and here is why. There are no signs of compromise and requirement is to ensure less downtime for application. If temp credential revoked first then application also will get impacted. so the correct answer is C

https://aws.amazon.com/es/blogs/security/what-to-do-if-you-inadvertently-expose-an-aws-access-key/ - B 2.Invalidate the credentials 3.Invalidating any temporary security credentials 4.Restore appropriate access It makes no sense to do 4 step before 3... The theat actor can be still inside.