Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 86 discussion

A and E "Although the use and creation of AWS IAM users is highly discouraged, break glass users are an exception. To ensure human break-glass access to your environment, we recommend that you create the following in your AWS organization: At least two IAM users..." https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/break-glass-access.html

and why i did not go for C; Because it relies on SAML for the AssumeRoleWithSAML operation. Question mentions that there might be SAML errors. If SAML is not functioning correctly, then the AssumeRoleWithSAML operation would also fail. This means that the security team members would not be able to assume the break glass IAM role when needed, defeating the purpose of having a break glass user for emergency access. Peace Out:)

The best combination of solutions to meet these requirements are A. Create a local individual break glass IAM user for the security team. Create a trail in AWS CloudTrail that has Amazon CloudWatch Logs turned on. Use Amazon EventBridge to monitor local user activities and E. Configure AWS Systems Manager Session Manager for Amazon EC2. Configure an AWS CloudTrail filter based on Session Manager. Send the results to an Amazon Simple Notification Service (Amazon SNS) topic.

A & E why: Option A: Creating a local individual break glass IAM user ensures that there is a dedicated user with the necessary permissions to access the AWS account in case of SAML errors. Using AWS CloudTrail with Amazon CloudWatch Logs allows for detailed logging of all activities performed by the break glass user. Amazon EventBridge can be used to monitor these activities and trigger alerts or actions as needed. Option E: AWS Systems Manager Session Manager provides a secure and auditable way to access Amazon EC2 instances without the need for direct SSH or RDP access. Configuring AWS CloudTrail to filter based on Session Manager activities ensures that all access sessions are logged. Sending these logs to an Amazon SNS topic ensures that the security team is promptly notified of any break glass user activities.

My answer is C & E C. IAM Role with AssumeRoleWithSAML: This creates a secure break glass user in the form of an IAM role. Security team members can assume this role using their existing SAML credentials, eliminating the need for separate credentials and enhancing security. CloudTrail with CloudWatch Logs ensures activity logging, and EventBridge allows for further monitoring of security team actions within the assumed role. E. Session Manager with CloudTrail Filter: Session Manager provides secure access to EC2 instances without needing SSH keys. Filtering CloudTrail logs based on Session Manager actions specifically captures break glass user activity on the instances. Sending these logs to SNS allows the security team to receive notifications.

A. Create a local individual break glass IAM user for the security team. This step allows the security team to have a user account they can use in emergencies. It's a dedicated account that's different from the standard federated user accounts. E. Configure AWS Systems Manager Session Manager for Amazon EC2. Session Manager will allow the security team to access EC2 instances securely without the need for SSH keys or open security groups. This service also integrates with AWS CloudTrail to log all session activity, which meets the requirement for logging and sending logs to the security team.

read the question carefully, it is asking for a user incase SAML error so assuming role with AssumeRoleWithSAML is not gonna work.

C, E. Creating a break glass IAM role allows for temporary access when needed. Allowing security team members to perform the AssumeRoleWithSAML operation ensures that the break glass user can assume the role during incidents. Configuring AWS CloudTrail with CloudWatch Logs turned on allows for the logging of activities, and EventBridge can be used to monitor those logs for security team activities.Configuring CloudTrail filters based on Session Manager actions allows logging of activities, and sending the results to an SNS topic can notify the security team. A & B involve local user or key pair management, which may not be as scalable or auditable compared to using IAM roles and Systems Manager Session Manager. D suggests creating local individual IAM users on the operating system level, which is not the recommended approach, as it's more challenging to manage and audit compared to IAM roles and System Manager Session Manager.

The rest of the options: B- key pair is very vulnerable. very often, breakglass is sealed in physical envelope and kept in safe. C- the question requires breakglass user. This option did not provide any user but role. D- the question require breakglass user at account level but this option provide instance level. Besides, unrestricted security group for all such instances make them vulnerable to password guessing. The best approach is still create breakglass at account level, seal the breakglass accounts with procedure and physical security, use cloudtrail to ensure its usage is accountable and notification to the entire security team is sent via SNS topic. The account level user allows breakglass user to access to all EC2 instances through session manager.

Correct Answer D & E: Question is to log any activities of the break glass user and send the logs to a security team. Because of sending logs to security team, security can not be a break glass user to have adequate segregation of duties. Answer A, B and C refer to security team be a break glass user. So correct answer is D and E.

Vote for A and E.

AE are correct. C would not work in the case of SAML issues which the question specifically states is the purpose.

AE are correct. C would not work in the case of SAML issues which the question specifically states is the purpose.

CE are the correct answers to this question. Folks choosing AE need to read these "A break glass role that is deployed to all the accounts in the organization, and that can only be 'assumed' by the break glass users from the management account. These roles are needed to allow access from the management account to apply and update guardrails, to troubleshoot and resolve issues with the automation tooling from the security tooling account, or to remediate security and operational issues in one of the member accounts in the AWS organization." sentences from the following link - https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/break-glass-access.html

Its A rather than C due to SAML att while using IAM roles.

A is correct need local user in case same is broken

C and E makes a good combo imo.