ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 353 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 353
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company’s security engineer is investigating an Amazon GuardDuty finding for unusual activity for an IAM role. The AWS account has AWS Single Sign-On configured with federation with the company’s on-premises Active Directory domain controller. The security engineer determines that the root cause of the finding is a compromised Active Directory identity on premises. Multiple production workloads are using the IAM role on AWS.

The security engineer must mitigate the unauthorized use of the IAM role while minimizing production workload downtime on AWS.

Which combination of actions should the security engineer take to meet these requirements? (Choose two.)

  • A. Inactivate the IAM role's access key. Issue a new IAM access key,
  • B. Revoke access for the identity in the on-premises Active Directory.
  • C. Attach an IAM policy to the IAM role to deny all access to any AWS Security Token Service (AWS STS) tokens that were issued prior to the current time.
  • D. Attach an IAM policy to the IAM role to deny access to the federated Active Directory identity's ARN.
  • E. Remove the IAM role’s login profile to restrict use of the AWS Management Console.
Show Suggested Answer Hide Answer
Suggested Answer: BC 🗳️
by landsamboni at Dec. 1, 2022, 3:18 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
landsamboni
Highly Voted 2 years, 5 months ago
Selected Answer: BC
https://aws.amazon.com/premiumsupport/knowledge-center/potential-account-compromise/
upvoted 7 times
...
Toptip
Most Recent 1 year, 11 months ago
Selected Answer: BC
B,C are correct.
upvoted 1 times
...
ITGURU51
2 years ago
The best practice would be to disable the compromised user account in Active Directory. This enables that the compromised account will not have access to federated or shared resources in AWS. Next we need to prevent the compromised account from being able to access the AWS security tokens service. We can reduce the attack surface and prevent the possibility of lateral movement by restricting access to the AWS Security Token Service. This is because STS is typically used for identify federation and cross account access. BC
upvoted 3 times
ITGURU51
2 years ago
This ensures, I meant.
upvoted 1 times
...
...
nairj
2 years, 1 month ago
Answer is B and C A, D, and E just doesn't make sense.
upvoted 1 times
...
Smartphone
2 years, 4 months ago
B and C seem correct answer. AWS STS security tokens are typically used for identity federation, providing cross-account access and for resources related to EC2 instances that require access by other applications. So, C will not block the access of applications that are configured with role to access other AWS services.
upvoted 1 times
...
awsec2
2 years, 4 months ago
The correct actions are B and C. To mitigate the unauthorized use of the IAM role while minimizing production workload downtime, the security engineer should take the following actions: Revoke access for the identity in the on-premises Active Directory: This will prevent the compromised identity from being able to use the IAM role on AWS. Attach an IAM policy to the IAM role to deny all access to any AWS Security Token Service (AWS STS) tokens that were issued prior to the current time: This will prevent the compromised identity from being able to use the IAM role on AWS by invalidating any previously issued AWS STS tokens. This will minimize downtime because the policy will only affect the compromised identity, rather than all users of the IAM role.
upvoted 2 times
...
Pabzzzz
2 years, 4 months ago
Option C will block all STS to the ROLE not identity - remember production workloads are using the role. so only the STS tokens for the identity need to be disabled. so BC are correct not BD
upvoted 1 times
Alvindo
2 years, 4 months ago
you mean B,D your explanation is for B,D
upvoted 1 times
...
Wilson_S
2 years, 4 months ago
Example Policy: { "Version": "2012-10-17", "Statement": { "Effect": "Deny", "Action": "*", "Resource": "*", "Condition": {"DateLessThan": {"aws:TokenIssueTime": "2014-05-07T23:47:00Z"}} } }
upvoted 2 times
...
...
Subs2021
2 years, 4 months ago
100%. B & C.
upvoted 1 times
KarthikRaveRaam
2 years, 4 months ago
@Subs2021 Can you please justify?
upvoted 2 times
...
...
maddyr
2 years, 5 months ago
sorry BC is correct
upvoted 2 times
...
maddyr
2 years, 5 months ago
Selected Answer: BD
BD for me
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago