AWS Certified Security – Specialty — Question 303

A company is using an organization in AWS Organizations to manage its AWS accounts. The company runs its primary application on Amazon EC2 instances. A security engineer discovers unauthorized access in one of the company’s developer AWS accounts. An investigation reveals that AWS access keys from the developer account were mistakenly added to public source code repository.

Which combination of actions should the security engineer take to secure the compromised account? (Choose two.)

Answer options

• A. Rotate all the access key pairs in the compromised account.
• B. Create security group that denies traffic from the internet. Attach the security group to all EC2 instances in the compromised account
• C. Temporarily remove the compromised account from the organization.
• D. Delete all EC2 key pairs in the compromised account.
• E. Delete any potentially unauthorized IAM users in the compromised account. Change the password for all other IAM users.

Correct answer: A, E

Explanation

Rotating all access keys (A) and removing unauthorized IAM users while updating passwords for the remaining ones (E) remediates the compromised credentials leak by invalidating the exposed keys and securing user access. Modifying security groups (B) or deleting EC2 key pairs (D) does not address the leaked IAM access keys, and removing the account from AWS Organizations (C) fails to remediate the internal security compromise.