AWS Certified Security – Specialty — Question 455
A security engineer receives an abuse report email message from the AWS Trust and Safety team. The abuse report identifies a resource that appears to be compromised. The abuse report indicates that the resource is an IAM access key that belongs to a DevOps engineer in the security engineer's company. The access key is used in a deployment system that uses AWS Lambda functions to launch AWS CloudFormation stacks.
The security engineer must address the abuse report, prevent any further use of the exposed access key, and implement security best practices.
Which solution will meet these requirements?
Answer options
- A. Locate the compromised IAM access key and deactivate or delete the key. Generate new access keys for the Lambda deployment process. Apply the new keys to the deployment system. In the account that contained the compromised key, create a new support case in AWS Support to detail these remediation steps.
- B. Delete or deactivate the compromised IAM access key. Discontinue the use of IAM access keys. Create a new IAM role for the Lambda deployment process. Apply the IAM role to the deployment system Lambda functions. Respond directly to the abuse report message to detail these remediation steps.
- C. Locate the compromised IAM access key. Delete the IAM user that is associated with the access key. Generate a new access key. Store the new key as an AWS Secrets Manager secret. Encrypt the secret with an AWS Key Management Service (AWS KMS) customer managed key. Update the Lambda functions to retrieve the access key from AWS Secrets Manager at runtime. In the account that contained the compromised key, create a new support case in AWS Support to detail these remediation steps.
- D. Delete or deactivate the compromised IAM access key. Generate and store a new access key as an environmental variable within the configuration of the deployment system's Lambda functions. Respond directly to the abuse report message to detail these remediation steps.
Correct answer: B
Explanation
Deleting or deactivating the compromised key immediately mitigates the active threat. Best practice for AWS Lambda functions is to use temporary credentials via IAM execution roles instead of static IAM access keys. Finally, responding directly to the AWS Trust and Safety abuse report is the correct procedure to resolve the abuse case.