Find answers, ask questions, and connect with our
community around the world.

Home Forums General Discussions Portal Issues and Improvements SCS-CO2 Set 3 – Issue with SEC – Threat Detection and Incident Response #4

  • SCS-CO2 Set 3 – Issue with SEC – Threat Detection and Incident Response #4

     Irene-TutorialsDojo updated 2 weeks, 4 days ago 2 Members · 2 Posts
    Portal Issues and Improvements

  • jacob-9

    Member
    June 30, 2025 at 3:15 am

    For the third timed mode set for the AWS Certified Security Specialty there is a question:

    A Security Engineer found out that API logging was disabled in the corporate AWS production account. The Engineer also noticed that the root IAM user was used to create new API keys without approval.

    What should the Engineer do to detect and automatically remediate these types of security incidents?

    The correct answer seems to include an incorrect premise, mentioning using config to monitor calls to “create-api-key” – Config does not monitor calls to services. The explanation states in part that:

    iam-root-access-key-check – Checks whether the root user access key is available”

    But this is not part of any of the answers, or the question. A combination of CloudTrail and Config is needed here – both of the following answers:

    “Set up a new CloudTrail event that detects the deactivation of
    CloudTrail logs. Create another CloudTrail event that detects the
    creation of root API keys. Set up an AWS Lambda function to re-enable
    CloudTrail logs and deactivate the root API keys.”

    And

    “Create a config rule in AWS Config that detects when AWS CloudTrail is disabled. Set another rule to monitor any calls to the create-api-key by the root IAM user. Set up an AWS Lambda function to re-enable CloudTrail logs and deactivate the root API keys.”

    Contain half of the solution, as worded.

    I imagine this is a typo, but it makes it so none of the provided options are actually complete.

    SEC – Threat Detection and Incident Response #4

    Thank you.

  • Irene-TutorialsDojo

    Administrator
    July 1, 2025 at 2:31 pm

    Hi jacob-9,

    Thank you for your feedback. We appreciate your observation about the wording in Option 2, which suggested AWS Config could monitor “create-api-key” calls. AWS Config evaluates resource configurations, not API calls, and the reference to the iam-root-access-key-check rule in the explanation wasn’t fully aligned with the answer, leading to some confusion. Your point about combining AWS Config for CloudTrail status and CloudTrail with EventBridge for API key creation detection is well-taken.

    We’ve updated the question to clarify Option 2, changing “monitor any calls to the create-api-key” to “detect the presence of root user access keys” using the iam-root-access-key-check rule. The explanation now aligns with this correction and includes the cloudtrail-enabled rule for CloudTrail monitoring. These changes ensure the answer is accurate and complete.

    The updated question and explanation will reflect in the portal soon. Thank you for helping us improve our content. If you have further questions, please let us know.

    Best,

    Irene @ Tutorials Dojo

    • Viewing 1 - 2 of 2 replies

    Log in to reply.

    Original Post
    0 of 0 posts June 2018
    Now
    Skip to content