exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 109 discussion

A security engineer recently rotated all IAM access keys in an AWS account. The security engineer then configured AWS Config and enabled the following AWS Config managed rules: mfa-enabled-for-iam-console-access, iam-user-mfa-enabled, access-keys-rotated, and iam-user-unused-credentials-check.

The security engineer notices that all resources are displaying as noncompliant after the IAM GenerateCredentialReport API operation is invoked.

What could be the reason for the noncompliant status?

  • A. The IAM credential report was generated within the past 4 hours.
  • B. The security engineer does not have the GenerateCredentialReport permission.
  • C. The security engineer does not have the GetCredenlialReport permission.
  • D. The AWS Config rules have a MaximumExecutionFrequency value of 24 hours.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
AgboolaKun
Highly Voted 1 year ago
Selected Answer: A
The report was generated within the past 4 hours - https://repost.aws/knowledge-center/config-credential-report
upvoted 8 times
...
navid1365
Most Recent 6 months, 2 weeks ago
Selected Answer: A
AWS Config rules such as mfa-enabled-for-iam-console-access, iam-user-mfa-enabled, access-keys-rotated, and iam-user-unused-credentials-check rely on data from the IAM credential report. The IAM credential report is updated automatically every four hours, and changes in IAM (such as rotating access keys) may not be reflected in the report immediately. If the IAM credential report was generated within the past 4 hours, AWS Config might not yet have the updated information, causing the resources to display as noncompliant.
upvoted 2 times
...
Raphaello
9 months, 2 weeks ago
Selected Answer: A
A. You can generate a credential report as often as once every four hours https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html
upvoted 1 times
...
awssecuritynewbie
9 months, 3 weeks ago
what a shit question btw! He has enabled a bunch of AWS configs, and then they are showing non-compliant. this can be anything really but yeah.
upvoted 2 times
...
vikasj1in
10 months, 3 weeks ago
Selected Answer: A
When these AWS Config rules are triggered, they rely on the latest IAM credential report to evaluate compliance. If the IAM credential report has been generated within the past 4 hours, it might not reflect the most recent changes, such as the rotation of access keys. To address this, it's a good practice to ensure that the IAM credential report is generated and updated at regular intervals, and AWS Config rules are then evaluated against the most recent report. You can schedule the generation of the IAM credential report and the evaluation of AWS Config rules accordingly. A &C are incorrect because the noncompliance is related to the timeliness of the IAM credential report rather than permissions. Option D is incorrect because the MaximumExecutionFrequency value doesn't affect the initial evaluation of the rules; it determines how often the rule is re-evaluated after its first evaluation.
upvoted 3 times
...
brpjp
11 months, 1 week ago
Answer D may be correct, on assumption that if maximumexecutionfrequency is 24 hours, then report is one day old rather than 4 hours mentioned on option A. Anyone can clarify my understanding.
upvoted 1 times
...
yorkicurke
11 months, 2 weeks ago
Selected Answer: A
Explained in the following link; https://repost.aws/knowledge-center/config-credential-report
upvoted 1 times
yorkicurke
11 months, 2 weeks ago
oh shoot AgboolaKun already mentioned it. ok thumbs up for you AgboolaKun
upvoted 1 times
...
...
Aamee
1 year ago
Selected Answer: A
Agreed on A.
upvoted 1 times
...
[Removed]
1 year ago
Selected Answer: A
I agree with AgboolaKun. Read the link for some good insight
upvoted 1 times
...
oioi
1 year ago
Selected Answer: D
correct
upvoted 1 times
ykhan321
11 months, 2 weeks ago
Anything else besides correct?
upvoted 2 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago