SCS-C02 Question #102: Real Exam Question with Answer & Explanation

Question

A company's security team needs to receive a notification whenever an AWS access key has not been rotated in 90 or more days. A security engineer must develop a solution that provides these notifications automatically. Which solution will meet these requirements with the LEAST amount of effort?

Options

• ADeploy an AWS Config managed rule to run on a periodic basis of 24 hours. Select the access-
• BCreate a script to export a .csv file from the AWS Trusted Advisor check for IAM access key
• CCreate a script to download the IAM credentials report on a periodic basis. Load the script into an
• DCreate an AWS Lambda function that queries the IAM API to list all the users. Iterate through the

Explanation

The AWS Config managed rule access-keys-rotated performs automatic periodic evaluation of IAM access key age and can trigger SNS notifications, requiring minimal configuration effort.

Common mistakes.

• B. Exporting a CSV from Trusted Advisor and scripting around it requires custom automation and does not provide native integration with a notification pipeline, requiring more ongoing effort.
• C. Downloading the IAM credentials report and parsing it in a Lambda function is a viable approach but requires custom code development, scheduling, and maintenance, representing more effort than the managed rule.
• D. Building a custom Lambda to iterate all IAM users and check key ages requires writing, deploying, scheduling, and maintaining code, which is significantly more effort than using a managed Config rule.

Concept tested. AWS Config managed rule for IAM access key rotation

Reference. https://docs.aws.amazon.com/config/latest/developerguide/access-keys-rotated.html

No community discussion yet for this question.