exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 86 discussion

A company uses SAML federation to grant users access to AWS accounts. A company workload that is in an isolated AWS account runs on immutable infrastructure with no human access to Amazon EC2. The company requires a specialized user known as a break glass user to have access to the workload AWS account and instances in the case of SAML errors. A recent audit discovered that the company did not create the break glass user for the AWS account that contains the workload.

The company must create the break glass user. The company must log any activities of the break glass user and send the logs to a security team.

Which combination of solutions will meet these requirements? (Choose two.)

  • A. Create a local individual break glass IAM user for the security team. Create a trail in AWS CloudTrail that has Amazon CloudWatch Logs turned on. Use Amazon EventBridge to monitor local user activities.
  • B. Create a break glass EC2 key pair for the AWS account. Provide the key pair to the security team. Use AWS CloudTrail to monitor key pair activity. Send notifications to the security team by using Amazon Simple Notification Service (Amazon SNS).
  • C. Create a break glass IAM role for the account. Allow security team members to perform the AssumeRoleWithSAML operation. Create an AWS CloudTrail trail that has Amazon CloudWatch Logs turned on. Use Amazon EventBridge to monitor security team activities.
  • D. Create a local individual break glass IAM user on the operating system level of each workload instance. Configure unrestricted security groups on the instances to grant access to the break glass IAM users.
  • E. Configure AWS Systems Manager Session Manager for Amazon EC2. Configure an AWS CloudTrail filter based on Session Manager. Send the results to an Amazon Simple Notification Service (Amazon SNS) topic.
Show Suggested Answer Hide Answer
Suggested Answer: AE 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
kejam
Highly Voted 1 year ago
Selected Answer: AE
A and E "Although the use and creation of AWS IAM users is highly discouraged, break glass users are an exception. To ensure human break-glass access to your environment, we recommend that you create the following in your AWS organization: At least two IAM users..." https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/break-glass-access.html
upvoted 9 times
Aamee
1 year ago
I think ur option A might be right here cuz it asks about the IAM break-glass user and not any roles for the whole security team if I understood the question correctly...
upvoted 1 times
...
...
IPLogic
Most Recent 4 days, 5 hours ago
Selected Answer: AE
The best combination of solutions to meet these requirements are A. Create a local individual break glass IAM user for the security team. Create a trail in AWS CloudTrail that has Amazon CloudWatch Logs turned on. Use Amazon EventBridge to monitor local user activities and E. Configure AWS Systems Manager Session Manager for Amazon EC2. Configure an AWS CloudTrail filter based on Session Manager. Send the results to an Amazon Simple Notification Service (Amazon SNS) topic.
upvoted 1 times
...
catblack
3 months, 2 weeks ago
A & E why: Option A: Creating a local individual break glass IAM user ensures that there is a dedicated user with the necessary permissions to access the AWS account in case of SAML errors. Using AWS CloudTrail with Amazon CloudWatch Logs allows for detailed logging of all activities performed by the break glass user. Amazon EventBridge can be used to monitor these activities and trigger alerts or actions as needed. Option E: AWS Systems Manager Session Manager provides a secure and auditable way to access Amazon EC2 instances without the need for direct SSH or RDP access. Configuring AWS CloudTrail to filter based on Session Manager activities ensures that all access sessions are logged. Sending these logs to an Amazon SNS topic ensures that the security team is promptly notified of any break glass user activities.
upvoted 1 times
...
aescudero51
6 months ago
Selected Answer: CE
My answer is C & E C. IAM Role with AssumeRoleWithSAML: This creates a secure break glass user in the form of an IAM role. Security team members can assume this role using their existing SAML credentials, eliminating the need for separate credentials and enhancing security. CloudTrail with CloudWatch Logs ensures activity logging, and EventBridge allows for further monitoring of security team actions within the assumed role. E. Session Manager with CloudTrail Filter: Session Manager provides secure access to EC2 instances without needing SSH keys. Filtering CloudTrail logs based on Session Manager actions specifically captures break glass user activity on the instances. Sending these logs to SNS allows the security team to receive notifications.
upvoted 1 times
helloworldabc
2 months, 2 weeks ago
just AE
upvoted 1 times
...
...
minTwin
7 months, 1 week ago
Selected Answer: AE
A. Create a local individual break glass IAM user for the security team. This step allows the security team to have a user account they can use in emergencies. It's a dedicated account that's different from the standard federated user accounts. E. Configure AWS Systems Manager Session Manager for Amazon EC2. Session Manager will allow the security team to access EC2 instances securely without the need for SSH keys or open security groups. This service also integrates with AWS CloudTrail to log all session activity, which meets the requirement for logging and sending logs to the security team.
upvoted 2 times
...
mynickc
10 months, 1 week ago
Selected Answer: AE
read the question carefully, it is asking for a user incase SAML error so assuming role with AssumeRoleWithSAML is not gonna work.
upvoted 2 times
...
vikasj1in
10 months, 3 weeks ago
C, E. Creating a break glass IAM role allows for temporary access when needed. Allowing security team members to perform the AssumeRoleWithSAML operation ensures that the break glass user can assume the role during incidents. Configuring AWS CloudTrail with CloudWatch Logs turned on allows for the logging of activities, and EventBridge can be used to monitor those logs for security team activities.Configuring CloudTrail filters based on Session Manager actions allows logging of activities, and sending the results to an SNS topic can notify the security team. A & B involve local user or key pair management, which may not be as scalable or auditable compared to using IAM roles and Systems Manager Session Manager. D suggests creating local individual IAM users on the operating system level, which is not the recommended approach, as it's more challenging to manage and audit compared to IAM roles and System Manager Session Manager.
upvoted 1 times
...
Daniel76
11 months, 1 week ago
Selected Answer: AE
The rest of the options: B- key pair is very vulnerable. very often, breakglass is sealed in physical envelope and kept in safe. C- the question requires breakglass user. This option did not provide any user but role. D- the question require breakglass user at account level but this option provide instance level. Besides, unrestricted security group for all such instances make them vulnerable to password guessing. The best approach is still create breakglass at account level, seal the breakglass accounts with procedure and physical security, use cloudtrail to ensure its usage is accountable and notification to the entire security team is sent via SNS topic. The account level user allows breakglass user to access to all EC2 instances through session manager.
upvoted 3 times
...
brpjp
11 months, 1 week ago
Correct Answer D & E: Question is to log any activities of the break glass user and send the logs to a security team. Because of sending logs to security team, security can not be a break glass user to have adequate segregation of duties. Answer A, B and C refer to security team be a break glass user. So correct answer is D and E.
upvoted 1 times
...
yorkicurke
11 months, 2 weeks ago
Selected Answer: AE
and why i did not go for C; Because it relies on SAML for the AssumeRoleWithSAML operation. Question mentions that there might be SAML errors. If SAML is not functioning correctly, then the AssumeRoleWithSAML operation would also fail. This means that the security team members would not be able to assume the break glass IAM role when needed, defeating the purpose of having a break glass user for emergency access. Peace Out:)
upvoted 4 times
...
tayman
11 months, 2 weeks ago
Selected Answer: AE
Vote for A and E.
upvoted 1 times
...
dexterryu
11 months, 2 weeks ago
Selected Answer: AE
AE are correct. C would not work in the case of SAML issues which the question specifically states is the purpose.
upvoted 2 times
...
dexterryu
11 months, 2 weeks ago
AE are correct. C would not work in the case of SAML issues which the question specifically states is the purpose.
upvoted 2 times
...
AgboolaKun
1 year ago
Selected Answer: CE
CE are the correct answers to this question. Folks choosing AE need to read these "A break glass role that is deployed to all the accounts in the organization, and that can only be 'assumed' by the break glass users from the management account. These roles are needed to allow access from the management account to apply and update guardrails, to troubleshoot and resolve issues with the automation tooling from the security tooling account, or to remediate security and operational issues in one of the member accounts in the AWS organization." sentences from the following link - https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/break-glass-access.html
upvoted 1 times
Aamee
1 year ago
But if you read the question again, this is what they're asking specifically: "The company must create the break glass user. The company must log any activities of the break glass user and send the logs to a security team." When even the break glass user doesn't exist then how can the role be a choice here for this usecase??... You must need to create a local users first inorder to grant the role to it right?... I know it's still v confusing but that's how I interpreted this question..
upvoted 2 times
...
...
[Removed]
1 year ago
Selected Answer: AE
Its A rather than C due to SAML att while using IAM roles.
upvoted 2 times
...
marco25
1 year ago
Selected Answer: AE
A is correct need local user in case same is broken
upvoted 3 times
...
Aamee
1 year ago
Selected Answer: CE
C and E makes a good combo imo.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...