A security engineer for a company needs to design an incident response plan that addresse…

Question

A security engineer for a company needs to design an incident response plan that addresses compromised IAM user account credentials. The company uses an organization in AWS Organizations and AWS IAM Identify Center to manage user access. The company uses a delegated administrator account to implement AWS Security Hub. The delegated administrator account contains an organizational trail in AWS CloudTrail that logs all events to an Amazon S3 bucket. The company has also configured an organizational event data store that captures all events from the trail.
The incident response plan must provide steps that the security engineer can take to immediately disable any compromised IAM user when the security engineer receives a notification of a security incident.
The plan must prevent the IAM user from being used in any AWS account. The plan must also collect all AWS actions that the compromised IAM user performed across all accounts in the previous 7 days.
Which solution will meet these requirements?

Accepted Answer

Correct answer: D. D. Disable the IAM user's access in IAM Identity Center. Use CloudTrail to query the organizational event data store for actions that the IAM user performed in the previous 7 days. — The correct answer is D because disabling the IAM user's access in IAM Identity Center ensures that the user cannot access any AWS accounts. Additionally, using CloudTrail to query the organizational event data store allows for the retrieval of all actions the compromised IAM user performed in the last 7 days. The other options either fail to completely disable the user or do not utilize the optimal methods for tracking user actions.

AWS Certified Security – Specialty (SCS-C03) — Question 29

Answer options

Correct answer: D

Explanation