Exam AWS Certified Security - Specialty topic 1 question 48 discussion

I had this question on my exam today. Correct answer is D

Automated process.. should be C

I would say D, as you need it to be disabled.

Correct Answer : D Explanation: Create a CloudWatch Alarm: Set up a CloudWatch alarm to monitor the age of IAM access keys. CloudWatch allows you to create alarms based on custom metrics. Define the Threshold: Set the threshold for the alarm to trigger when access keys are older than three months (90 days). Use an AWS Lambda function: Configure the CloudWatch alarm to trigger an AWS Lambda function when the alarm state changes (e.g., when it breaches the threshold). Lambda Function to Disable Keys: In the Lambda function, use AWS SDK/APIs (such as listAccessKeys and updateAccessKey) to identify IAM users with access keys older than 90 days and disable those keys.

the questions asks "disable IAM user " not to update so you need to go with D. it will disable the IAM users

Based on this reference https://www.youtube.com/watch?v=0H8SM15YKEs automation process is possible, and D is my choice

https://docs.aws.amazon.com/ko_kr/IAM/latest/UserGuide/id_credentials_access-keys.html surly A 100%

"A" is not automated process

Amazon CloudWatch alarm can not be used to trigger lambda function.

It looks like the page content has not been written with UTF-8. On my laptop, I can see " ג€Usersג€. Review the ג€Access Key Ageג€" in this question.

C- must be the correct one. There is no CW metric to analyze the credentials age, so no alarm can be triggered. You can configure an event bridge rule to tun a lambda on a regular basis. That lambda, using code, can check the age of the credentials and change them. It is True that in C I miss a cron to run the script automatically from time to time but...Another cool approach would be to use Config -> https://docs.aws.amazon.com/config/latest/developerguide/access-keys-rotated.html

I have passed the exam recently, and confirm that some questions on this site are word for word the same as the ones I have gotten in the exam. Which is a clear violation of the Amazon terms, so I will not comment on which ones exactly. However many answers on this site are comically bad, so at least the students still have some homework to do. Also, I confirm that you are not given detailed results, so the guy who keeps saying "I had this question in my exam, answer is X" is a fool.

Not the best solution but possible to do it with AWS CloudWatch Alarm: Create a CloudWatch metric filter: Create a CloudWatch metric filter that extracts the creation date of IAM user access keys. Create a CloudWatch alarm: Create a CloudWatch alarm that triggers when the IAM user access key is more than three months old. Set up an AWS Lambda function: Set up an AWS Lambda function to disable the access key when the CloudWatch alarm triggers. Test the alarm: Test the CloudWatch alarm by generating some old IAM user access keys and verifying that they trigger the Lambda function to disable the access key. Monitor the alarm: Monitor the CloudWatch alarm and the Lambda function to ensure that they are functioning correctly and that access keys are being disabled as expected.

A - No such option in available in AWS console B - IAM policy defines the permission, nothing related to user’s credentials C : This looks a right answer, but not meeting the automated process, Ref : https://docs.aws.amazon.com/cli/latest/reference/iam/update-access-key.html D: This meets all the criteria. I’ll go with D

Without any doubt its D. AWS will not have to tell you it's a Cloudwatch Event to choose the correct answer. https://aws.amazon.com/blogs/mt/customize-amazon-cloudwatch-alarm-notifications-to-your-local-time-zone-part-1/#:~:text=You%20can%20use%20a%20CloudWatch,and%20creates%20a%20customized%20notification.

It's a vague question. C is missing trigger a need to mess with an API. Where in D, there's nothing like an age detection alarm. The only way i can imagine is to either use scheduled cloud watch event which will in turn trigger lambda with sdk and to the steps mentioned in c, or using AWS Config, triggering lambda as a remediation action.

https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateAccessKey.html This operation can be used to disable a user's key as part of a key rotation workflow.