AWS Certified Security – Specialty (SCS-C02) — Question 103

A security engineer recently rotated all IAM access keys in an AWS account. The security engineer then configured AWS Config and enabled the following AWS Config managed rules: mfa-enabled-for-iam-console-access, iam-user-mfa-enabled, access-keys-rotated, and iam-user-unused-credentials-check.

The security engineer notices that all resources are displaying as noncompliant after the IAM GenerateCredentialReport API operation is invoked.

What could be the reason for the noncompliant status?

Answer options

• A. The IAM credential report was generated within the past 4 hours.
• B. The security engineer does not have the GenerateCredentialReport permission.
• C. The security engineer does not have the GetCredenlialReport permission.
• D. The AWS Config rules have a MaximumExecutionFrequency value of 24 hours.

Correct answer: A

Explanation

The correct answer is A because AWS Config rules can take time to reflect changes, and if the report was generated within the past 4 hours, it may not yet show compliance. Options B and C are incorrect as they pertain to permissions that do not directly affect the compliance status shown by AWS Config. Option D is also incorrect because while the execution frequency may delay checks, it does not explain the immediate noncompliance after generating the report.