Exam AWS Certified Security - Specialty topic 1 question 32 discussion

The answer should be B. We can achieve this using AWS Config. https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-enabled.html https://docs.aws.amazon.com/config/latest/developerguide/iam-root-access-key-check.html

Hi Guys, answer is C. Based on past experience with AWS exams, AWS really like to based questions on their blogs and article to see how updated you are. Below are 2 article that shows exactly where the answer is found. 80% of the PRO exam are now based on these articles. That's why it's so damn hard. C https://aws.amazon.com/blogs/mt/monitor-changes-and-auto-enable-logging-in-aws-cloudtrail/ https://github.com/aws/Trusted-Advisor-Tools/tree/master/ExposedAccessKeys

AWS Config managed rule to check on root access key if they exist. https://docs.aws.amazon.com/config/latest/developerguide/iam-root-access-key-check.html Another AWS Config managed rule to check if CloudTrail is enabled. https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-enabled.html Option B is correct.

B is incorrect, because you have to create custom config rule to check api call for root user create-api-key.

B is correct. C would be better if there was not mentioned AWS trusted advisor, which makes the whole sentence wrong.

Answer should be B

Config can trigger Lambdas for remediation apart from SSM. Also Config is not watching API calls, it should watch for API logging de/activation so the answer is B.

https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-re-enable-aws-cloudtrail-by-using-a-custom-remediation-rule-in-aws-config.html

I looked into C, there doesn't seem to be a Trusted Advisor check for root API keys: https://docs.aws.amazon.com/awssupport/latest/user/security-checks.html AWS Config is about automated tracking and remediation of uncompliant resources, but I wasn't sure it could track the api key creation. https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html Suggests it can. AWS provide two managed rules: iam-root-access-key-check multi-region-cloudtrail-enabled or cloudtrail-security-trail-enabled So this would be my choice.

Answer should be B

To ensure that CloudTrail remains enabled in your account, AWS Config provides the cloudtrail-enabled managed rule. If CloudTrail is turned off, the cloudtrail-enabled rule automatically re-enables it by using automatic remediation. Source: https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-re-enable-aws-cloudtrail-by-using-a-custom-remediation-rule-in-aws-config.html

To detect and automatically remediate the incident, you could use AWS Config to create a config rule that detects when AWS CloudTrail is disabled, as well as any calls to the root user create-api-key. Then use a Lambda function to re-enable CloudTrail logs and deactivate the root API keys. B

B is correct. https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-re-enable-aws-cloudtrail-by-using-a-custom-remediation-rule-in-aws-config.html

AWS wants to use managed services. Config can check and remediate if the Cloud trail is stopped and lambda can start it. in B, I do know what can do Trusted advisor to start CT logging. This last service is more to check resource utilization and so on...

Question Keyword is "detect and automatically remediate", of CloudTrail disable & create API keys AWS config with lambda will does all these https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-enabled.html

It would be B bc it says automatically

You can achieve the same thing both ways. B and C both can use lambda import boto3 def lambda_handler(event, context): # Re-enable CloudTrail logs cloudtrail = boto3.client('cloudtrail') cloudtrail.start_logging(Name='my-cloudtrail') # Deactivate root API key iam = boto3.client('iam') iam.update_access_key(UserName='root', AccessKeyId='my-api-key', Status='Inactive')