During a recent internal investigation, it was discovered that all API logging was disabled in a production account, and the root user had created new API keys that appear to have been used several times.
What could have been done to detect and automatically remediate the incident?
- A. Using Amazon Inspector, review all of the API calls and configure the inspector agent to leverage SNS topics to notify security of the change to AWS CloudTrail, and revoke the new API keys for the root user.
- B. Using AWS Config, create a config rule that detects when AWS CloudTrail is disabled, as well as any calls to the root user create-api-key. Then use a Lambda function to re-enable CloudTrail logs and deactivate the root API keys.
- C. Using Amazon CloudWatch, create a CloudWatch event that detects AWS CloudTrail deactivation and a separate Amazon Trusted Advisor check to automatically detect the creation of root API keys. Then use a Lambda function to enable AWS CloudTrail and deactivate the root API keys.
- D. Using Amazon CloudTrail, create a new CloudTrail event that detects the deactivation of CloudTrail logs, and a separate CloudTrail event that detects the creation of root API keys. Then use a Lambda function to enable CloudTrail and deactivate the root API keys.
Show Suggested Answer Hide Answer
Suggested Answer: C
🗳️
by sensor at July 5, 2019, 10:38 a.m.
Disclaimers:
- - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
- - Trademarks, certification & product names are used for reference only and belong to Amazon.
Comments
Madura
Highly Voted 1 year, 2 months ago
The answer should be B. We can achieve this using AWS Config. //docs.aws.amazon.com/config/latest/developerguide/cloudtrail-enabled.html //docs.aws.amazon.com/config/latest/developerguide/iam-root-access-key-check.html
upvoted 35 times
AFAIK, Config can't trigger a Lambda for remediation, only for rules.
upvoted 1 times
It can...you ever used Aws config ? //aws.amazon.com/about-aws/whats-new/2018/04/aws-config-adds-support-for-aws-lambda/#:~:text=You%20can%20now%20record%20configuration,timeout%20settings%2C%20and%20concurrency%20settings.
upvoted 2 times
...
...
AWS Config cannot be configured to watch API calls. While there are other ways to do parts of each, here with options provided: Answer should be C
upvoted 2 times
...
This is correct, only the "calls to create-api-key" part is very ambiguous. Technically Config does not detect the call, but the result of the call.
upvoted 2 times
...
...
donathon
Highly Voted 1 year, 2 months ago
Hi Guys, answer is C. Based on past experience with AWS exams, AWS really like to based questions on their blogs and article to see how updated you are. Below are 2 article that shows exactly where the answer is found. 80% of the PRO exam are now based on these articles. That's why it's so damn hard. C //aws.amazon.com/blogs/mt/monitor-changes-and-auto-enable-logging-in-aws-cloudtrail/ //github.com/aws/Trusted-Advisor-Tools/tree/master/ExposedAccessKeys
upvoted 19 times
Nope B is correct. AWS wants to use managed services as much as possible. "Cloudtrail-enabled aws managed config rule checks whether AWS CloudTrail is enabled in your AWS account. Optionally, you can specify which S3 bucket, SNS topic, and Amazon CloudWatch Logs ARN to use."
upvoted 3 times
If CloudTrail is disabled, how can CloudTrail create an event?
upvoted 1 times
...
AWS Config cannot be configured to watch API calls. While there are other ways to do parts of each, here with options provided: Answer should be C
upvoted 2 times
...
...
I like your answer but trusted advisor cannot detect the creation of access keys on the root account only the presence of them in popular code repos. Additionally this alert is only available if you are on a support plan where as Config does allow for this.
upvoted 2 times
...
This is incorrect. Check Madura's response and links above. Standard use-cases for Config.
upvoted 2 times
...
...
Selected Answer: C
Monitor status change of Trusted Advisor: Cloudwatch Events: //morioh.com/p/25f37499c68b EventBridge: //docs.aws.amazon.com/awssupport/latest/user/cloudwatch-events-ta.html Plus, the GitHub link posted by donathon
upvoted 1 times
...
Selected Answer: B
B - Seems like the most likely option. Security Hub items: underlying config rule: AWS Config rule: iam-root-access-key-check //docs.aws.amazon.com/config/latest/developerguide/iam-root-access-key-check.html //docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html 1.12 – Ensure no root user access key exists Severity: Critical AWS Config rule: iam-root-access-key-check Schedule type: Periodic The root user has complete access to all services and resources in an AWS account. Access keys provide programmatic access to a given account. CIS recommends that all access keys be associated with the root user be removed. Removing access keys associated with the root user limits vectors that the account can be compromised by. Removing the root user access keys also encourages the creation and use of role-based accounts that are least privileged.
upvoted 1 times
For cloudtrail portion of question: Associated config rule: //docs.aws.amazon.com/config/latest/developerguide/cloudtrail-enabled.html
upvoted 1 times
...
...
Correct answer is C. There is no rule like create-api-key in AWS config rule to monitor root API keys.
upvoted 2 times
...
This is a testable scenario. Done a multiple research on the aws config and trusted advisor capabilities. B doesn't talk about trusted advisor, instead it tries to accommodate the check using Aws config itself. donathon has posted a GitHub link in the comment that explains the orchestration of the exposed API key remediation using trusted advisor. After reading these materials, I vote for C.
upvoted 2 times
...
Mr__
2 months, 2 weeks ago
Selected Answer: B
B is right
upvoted 1 times
...
ceeee
2 months, 2 weeks ago
Selected Answer: B
whenever something changes and is considered as a configuration that doesn't need to be changed, the answer is always aws config.
upvoted 3 times
...
Selected Answer: B
Cannot be C, trusted advisor does not have such check, here is a list: Amazon EC2 instances with Microsoft SQL Server end of support Amazon EC2 instances with Microsoft Windows Server end of support Amazon EBS Public Snapshots Amazon RDS Public Snapshots Amazon RDS Security Group Access Risk Amazon Route 53 MX Resource Record Sets and Sender Policy Framework Amazon S3 Bucket Permissions AWS CloudTrail Logging AWS Lambda Functions Using Deprecated Runtimes AWS Well-Architected high risk issues for security CloudFront Custom SSL Certificates in the IAM Certificate Store CloudFront SSL Certificate on the Origin Server ELB Listener Security ELB Security Groups Exposed Access Keys IAM Access Key Rotation IAM Password Policy IAM Use MFA on Root Account Security Groups – Specific Ports Unrestricted Security Groups – Unrestricted Access
upvoted 2 times
...
Selected Answer: B
Option B: You can monitor cloud trail status with AWS Configcloudtrail-enabled rule just like @Madura described. The problem with option C is the statement saying the monitor the root API key with Trusted Advisor check. It doesn't do it: //docs.aws.amazon.com/awssupport/latest/user/security-checks.html
upvoted 2 times
...
Answer: B
upvoted 1 times
...
Answer is B, C mentioned lambda - should be config rules to remediate the problem //docs.aws.amazon.com/config/latest/developerguide/remediation.html
upvoted 1 times
...
fgg89
7 months, 2 weeks ago
I go with C. B was tempting but this link makes it quite clear: //aws.amazon.com/blogs/mt/monitor-changes-and-auto-enable-logging-in-aws-cloudtrail/
upvoted 1 times
Check the Madura links and AWS config contain that two rules one per root keys and logging is better and easier than cloudwatch I go with B
upvoted 1 times
...
...
ggx
9 months, 3 weeks ago
Selected Answer: B
B 1000%
upvoted 1 times
...
supporting C > //aws.amazon.com/blogs/mt/monitor-changes-and-auto-enable-logging-in-aws-cloudtrail/
upvoted 2 times
...
Answer : B. THe question is about after incident occurred. -> Option C is mention about the best practice before incident occur
upvoted 1 times
...
B is correct. For who are concerned about C , you must read question clearly, C answer is "separate Amazon Trusted Advisor check to automatically detect the creation of root API keys". In this case, root user created access keys, not mention about root access key.
upvoted 1 times
...