SCS-C02 · Question #436
SCS-C02 Question #436: Real Exam Question with Answer & Explanation
The correct answer is D: Open the IAM console and revoke all IAM sessions that are associated with the instance profile.. The alert indicates that a malicious actor has used the instance credentials to access AWS services. To mitigate this threat, the first step should be to revoke all active IAM sessions associated with the instance profile. This action will effectively disconnect the malicious use
Question
A security engineer received an Amazon GuardDuty alert indicating a finding involving the Amazon EC2 instance that hosts the company's primary website. The GuardDuty finding received read: UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration. The security engineer confirmed that a malicious actor used API access keys intended for the EC2 instance from a country where the company does not operate. The security engineer needs to deny access to the malicious actor. What is the first step the security engineer should take?
Options
- AOpen the EC2 console and remove any security groups that allow inbound traffic from 0.0.0.0/0.
- BInstall the AWS Systems Manager Agent on the EC2 instance and run an inventory report.
- CInstall the Amazon Inspector agent on the host and run an assessment with the CVE rules
- DOpen the IAM console and revoke all IAM sessions that are associated with the instance profile.
Explanation
The alert indicates that a malicious actor has used the instance credentials to access AWS services. To mitigate this threat, the first step should be to revoke all active IAM sessions associated with the instance profile. This action will effectively disconnect the malicious user from AWS services by invalidating the credentials, regardless of their location. After this step, further analysis and remediation can be performed.
Community Discussion
No community discussion yet for this question.