AWS Certified Security – Specialty — Question 305

A company’s security engineer receives an abuse notification from AWS. The notification indicates that someone is hosting malware from the company’s AWS account. After investigation, the security engineer finds a new Amazon S3 bucket that an IAM user created without authorization.

Which combination of steps should the security engineer take to MINIMIZE the consequences of this compromise? (Choose three.)

Answer options

• A. Encrypt all AWS CloudTrail logs.
• B. Turn on Amazon GuardDuty.
• C. Change the password for all IAM users.
• D. Rotate or delete all AWS access keys.
• E. Take snapshots of all Amazon Elastic Block Store (Amazon EBS) volumes.
• F. Delete any resources that are unrecognized or unauthorized.

Correct answer: C, D, F

Explanation

To contain and remediate the compromise, the security engineer must revoke potentially compromised credentials by changing all IAM user passwords and rotating or deleting all AWS access keys. Additionally, deleting the unauthorized S3 bucket and any other unrecognized resources immediately stops the malware hosting. Other actions, such as enabling GuardDuty or encrypting logs, are useful security practices but do not directly remediate the active threat.