ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam
Go to Exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 109 discussion

Exam question from Amazon's AWS Certified Security - Specialty SCS-C02
Question #: 109
Topic #: 1
[All AWS Certified Security - Specialty SCS-C02 Questions]

A security engineer recently rotated all IAM access keys in an AWS account. The security engineer then configured AWS Config and enabled the following AWS Config managed rules: mfa-enabled-for-iam-console-access, iam-user-mfa-enabled, access-keys-rotated, and iam-user-unused-credentials-check.

The security engineer notices that all resources are displaying as noncompliant after the IAM GenerateCredentialReport API operation is invoked.

What could be the reason for the noncompliant status?

  • A. The IAM credential report was generated within the past 4 hours.
  • B. The security engineer does not have the GenerateCredentialReport permission.
  • C. The security engineer does not have the GetCredenlialReport permission.
  • D. The AWS Config rules have a MaximumExecutionFrequency value of 24 hours.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by oioi at Nov. 23, 2023, 10:10 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
AgboolaKun
Highly Voted 11 months, 1 week ago
Selected Answer: A
The report was generated within the past 4 hours - https://repost.aws/knowledge-center/config-credential-report
upvoted 8 times
...
navid1365
Most Recent 5 months, 1 week ago
Selected Answer: A
AWS Config rules such as mfa-enabled-for-iam-console-access, iam-user-mfa-enabled, access-keys-rotated, and iam-user-unused-credentials-check rely on data from the IAM credential report. The IAM credential report is updated automatically every four hours, and changes in IAM (such as rotating access keys) may not be reflected in the report immediately. If the IAM credential report was generated within the past 4 hours, AWS Config might not yet have the updated information, causing the resources to display as noncompliant.
upvoted 4 times
...
Raphaello
8 months, 1 week ago
Selected Answer: A
A. You can generate a credential report as often as once every four hours https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html
upvoted 1 times
...
awssecuritynewbie
8 months, 2 weeks ago
what a shit question btw! He has enabled a bunch of AWS configs, and then they are showing non-compliant. this can be anything really but yeah.
upvoted 2 times
...
vikasj1in
9 months, 2 weeks ago
Selected Answer: A
When these AWS Config rules are triggered, they rely on the latest IAM credential report to evaluate compliance. If the IAM credential report has been generated within the past 4 hours, it might not reflect the most recent changes, such as the rotation of access keys. To address this, it's a good practice to ensure that the IAM credential report is generated and updated at regular intervals, and AWS Config rules are then evaluated against the most recent report. You can schedule the generation of the IAM credential report and the evaluation of AWS Config rules accordingly. A &C are incorrect because the noncompliance is related to the timeliness of the IAM credential report rather than permissions. Option D is incorrect because the MaximumExecutionFrequency value doesn't affect the initial evaluation of the rules; it determines how often the rule is re-evaluated after its first evaluation.
upvoted 3 times
...
brpjp
10 months ago
Answer D may be correct, on assumption that if maximumexecutionfrequency is 24 hours, then report is one day old rather than 4 hours mentioned on option A. Anyone can clarify my understanding.
upvoted 1 times
...
yorkicurke
10 months, 1 week ago
Selected Answer: A
Explained in the following link; https://repost.aws/knowledge-center/config-credential-report
upvoted 1 times
yorkicurke
10 months, 1 week ago
oh shoot AgboolaKun already mentioned it. ok thumbs up for you AgboolaKun
upvoted 1 times
...
...
Aamee
11 months ago
Selected Answer: A
Agreed on A.
upvoted 1 times
...
[Removed]
11 months, 1 week ago
Selected Answer: A
I agree with AgboolaKun. Read the link for some good insight
upvoted 1 times
...
oioi
11 months, 1 week ago
Selected Answer: D
correct
upvoted 1 times
ykhan321
10 months, 1 week ago
Anything else besides correct?
upvoted 2 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago