AWS Certified Security – Specialty — Question 272

A security engineer recently rotated all IAM access keys in an AWS account. The security engineer then configured AWS Config and enabled the following AWS
Config managed rules; mfa-enabled-for-iam-console-access, iam-user-mfa-enabled, access-key-rotated, and iam-user-unused-credentials-check.
The security engineer notices that all resources are displaying as noncompliant after the IAM GenerateCredentialReport API operation is invoked.
What could be the reason for the noncompliant status?

Answer options

• A. The IAM credential report was generated within the past 4 hours.
• B. The security engineer does not have the GenerateCredentialReport permission.
• C. The security engineer does not have the GetCredentialReport permission.
• D. The AWS Config rules have a MaximumExecutionFrequency value of 24 hours.

Correct answer: A

Explanation

AWS Config uses the IAM credential report to evaluate these specific managed rules. Because IAM limits the generation of a new credential report to once every 4 hours, AWS Config will retrieve the cached version if a report was generated too recently. This cached report likely contains outdated information from before the key rotation, causing the rules to falsely report resources as noncompliant.