You are an AWS system administrator in a company.
You just received an abuse report from AWS saying that your AWS account may be compromised.
You check the account and do not find any unrecognized AWS resources.
However, an IAM user (Bob) has an unexpected policy called AWSExposedCredentialPolicy_DO_NOT_REMOVE.
You do not want to delete the user as the user is valid.
Which of the following actions would you take to address this security issue in the most suitable way?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - D.
When you receive an abuse report from AWS, you should review the abuse notice to see what content or activity was reported.
Details can be found in https://aws.amazon.com/premiumsupport/knowledge-center/aws-abuse-report/ and.
https://aws.amazon.com/premiumsupport/knowledge-center/potential-account-compromise/.Option A is incorrect: Because the IAM user Bob may be compromised.
The user may create another IAM policy.
Option B is incorrect: Same reason as.
Option A.Option C is incorrect: Because you only need to deal with the IAM users that you didn't create or are compromised.
Option D is CORRECT: Please check https://aws.amazon.com/premiumsupport/knowledge-center/potential-account-compromise/ for the suggested methods when there are unauthorized activities in an AWS account.
You should rotate the access keys in this situation.
As an AWS system administrator, it's essential to address any potential security issues quickly and effectively. In this scenario, an abuse report from AWS indicates that the account may be compromised, and an IAM user has an unexpected policy. The best course of action to address this security issue would be:
D. Delete the policy and rotate the access keys for the user Bob.
Explanation:
The presence of an unexpected policy named "AWSExposedCredentialPolicy_DO_NOT_REMOVE" indicates that the IAM user's credentials may be compromised or exposed. This policy might allow unauthorized access to your AWS resources, which can lead to data breaches, financial losses, or other security incidents. Deleting the policy and rotating the access keys for the user Bob will help you mitigate the risks associated with the policy.
Deleting the IAM policy AWSExposedCredentialPolicy_DO_NOT_REMOVE and making sure no IAM users use this policy (Option A) is not enough as you need to take additional steps to ensure that the IAM user's credentials are secure. Removing all IAM policies assigned to Bob (Option B) may impact the user's ability to perform their job duties and is not the best solution. Deleting all existing IAM users and recreating them with new passwords (Option C) is a time-consuming and drastic approach that is not necessary in this scenario.
In conclusion, the most suitable and effective course of action is to delete the policy and rotate the access keys for the user Bob. This will help you mitigate the risks associated with the policy and ensure that the IAM user's credentials are secure. Additionally, you should investigate how the policy was added and take steps to prevent similar incidents from occurring in the future.