A company has a new AWS account that does not have AWS CloudTrail configured. The account…

Question

A company has a new AWS account that does not have AWS CloudTrail configured. The account has an IAM access key that was issued by AWS Security Token
Service (AWS STS). A security engineer discovers that the IAM access key has been compromised within the last 24 hours.
The security engineer must stop the compromised IAM access key from being used. The security engineer also must determine which activities the key has been used for so far.
What should the security engineer do to meet these requirements?

Accepted Answer

Correct answer: D. D. In the CloudTrail console, under CloudTrail event history, search by access key for the compromised key, view the correlated events, and identify which IAM role the key belongs to. In the IAM console, revoke all active sessions for that IAM role. — CloudTrail event history is enabled by default and retains 90 days of management events even if a custom trail has not been created, allowing the engineer to view past activities. Because the access key was issued by AWS STS, it is associated with an IAM role rather than an IAM user. Revoking active sessions for the identified IAM role immediately invalidates the temporary credentials, preventing further unauthorized use without requiring the deletion of the entire role.

AWS Certified Security – Specialty — Question 270

Answer options

Correct answer: D

Explanation