AWS Certified Security – Specialty — Question 420

A company’s security engineer is investigating an Amazon GuardDuty finding for unusual activity for an IAM role. The AWS account has AWS Single Sign-On configured with federation with the company’s on-premises Active Directory domain controller. The security engineer determines that the root cause of the finding is a compromised Active Directory identity on premises. Multiple production workloads are using the IAM role on AWS.

The security engineer must mitigate the unauthorized use of the IAM role while minimizing production workload downtime on AWS.

Which combination of actions should the security engineer take to meet these requirements? (Choose two.)

Answer options

• A. Inactivate the IAM role's access key. Issue a new IAM access key,
• B. Revoke access for the identity in the on-premises Active Directory.
• C. Attach an IAM policy to the IAM role to deny all access to any AWS Security Token Service (AWS STS) tokens that were issued prior to the current time.
• D. Attach an IAM policy to the IAM role to deny access to the federated Active Directory identity's ARN.
• E. Remove the IAM role’s login profile to restrict use of the AWS Management Console.

Correct answer: B, C

Explanation

Disabling the compromised user account directly in the on-premises Active Directory prevents the attacker from establishing any new federated sessions. Applying an IAM policy that denies access to AWS STS tokens issued prior to the current time immediately invalidates any active temporary credentials already obtained by the attacker, mitigating the threat with minimal impact to legitimate workloads. Other options are incorrect because IAM roles do not have static access keys or console login profiles.