Amazon SCS-C02 Exam - Topic 6 Question 7 Discussion

Actual exam question for Amazon's SCS-C02 exam

Question #: 7
Topic #: 6

A company uses SAML federation to grant users access to AWS accounts. A company workload that is in an isolated AWS account runs on immutable infrastructure with no human access to Amazon EC2. The company requires a specialized user known as a break glass user to have access to the workload AWS account and instances in the case of SAML errors. A recent audit discovered that the company did not create the break glass user for the AWS account that contains the workload.

The company must create the break glass user. The company must log any activities of the break glass user and send the logs to a security team.

Which combination of solutions will meet these requirements? (Select TWO.)

ACreate a local individual break glass IAM user for the security team. Create a trail in AWS CloudTrail that has Amazon CloudWatch Logs turned on. Use Amazon EventBridge to monitor local user activities.

BCreate a break glass EC2 key pair for the AWS account. Provide the key pair to the security team. Use AWS CloudTraiI to monitor key pair activity. Send notifications to the security team by using Amazon Simple Notification Service (Amazon SNS).

CCreate a break glass IAM role for the account. Allow security team members to perform the AssumeRoleWithSAML operation. Create an AWS Cloud Trail trail that has Amazon CloudWatch Logs turned on. Use Amazon EventBridge to monitor security team activities.

DCreate a local individual break glass IAM user on the operating system level of each workload instance. Configure unrestricted security groups on the instances to grant access to the break glass IAM users.

EConfigure AWS Systems Manager Session Manager for Amazon EC2. Configure an AWS Cloud Trail filter based on Session Manager. Send the results to an Amazon Simple Notification Service (Amazon SNS) topic.

Show Suggested Answer

Suggested Answer: A, E

The combination of solutions that will meet the requirements are:

A) Create a local individual break glass IAM user for the security team. Create a trail in AWS CloudTrail that has Amazon CloudWatch Logs turned on. Use Amazon EventBridge to monitor local user activities. This is a valid solution because it allows the security team to access the workload AWS account and instances using a local IAM user that does not depend on SAML federation. It also enables logging and monitoring of the break glass user activities using AWS CloudTrail, Amazon CloudWatch Logs, and Amazon EventBridge123.

E) Configure AWS Systems Manager Session Manager for Amazon EC2. Configure an AWS CloudTrail filter based on Session Manager. Send the results to an Amazon Simple Notification Service (Amazon SNS) topic. This is a valid solution because it allows the security team to access the workload instances without opening any inbound ports or managing SSH keys or bastion hosts. It also enables logging and notification of the break glass user activities using AWS CloudTrail, Session Manager, and Amazon SNS456.

The other options are incorrect because:

B) Creating a break glass EC2 key pair for the AWS account and providing it to the security team is not a valid solution, because it requires opening inbound ports on the instances and managing SSH keys, which increases the security risk and complexity7.

C) Creating a break glass IAM role for the account and allowing security team members to perform the AssumeRoleWithSAML operation is not a valid solution, because it still depends on SAML federation, which might not work in case of SAML errors8.

D) Creating a local individual break glass IAM user on the operating system level of each workload instance and configuring unrestricted security groups on the instances to grant access to the break glass IAM users is not a valid solution, because it requires opening inbound ports on the instances and managing multiple local users, which increases the security risk and complexity9.

1: Creating an IAM User in Your AWS Account 2: Creating a Trail - AWS CloudTrail 3: Using Amazon EventBridge with AWS CloudTrail 4: Setting up Session Manager - AWS Systems Manager 5: Logging Session Manager sessions - AWS Systems Manager 6: Amazon Simple Notification Service 7: Connecting to your Linux instance using SSH - Amazon Elastic Compute Cloud 8: AssumeRoleWithSAML - AWS Security Token Service 9: IAM Users - AWS Identity and Access Management

by Gearldine at Oct 21, 2023, 07:10 AM

Limited Time Offer

25%

Off

Get Premium SCS-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Aleshia

3 months ago

Surprised they didn't have a break glass user set up already!

upvoted 0 times

...

Chandra

3 months ago

Wait, D sounds super insecure with those unrestricted security groups!

upvoted 0 times

...

An

3 months ago

A and C make sense, but why not just use an IAM role?

upvoted 0 times

...

King

4 months ago

I think B is a bit risky with the key pair.

upvoted 0 times

...

Freeman

4 months ago

Definitely A and C! Seems like the safest options.

upvoted 0 times

...

Glenn

4 months ago

I feel like option A might be too simple. Creating a local IAM user seems risky, especially if we need to log activities properly.

upvoted 0 times

...

Kaycee

4 months ago

I’m a bit confused about the logging part. I know CloudTrail is essential, but does EventBridge really help in monitoring user activities?

upvoted 0 times

...

Aron

4 months ago

I think option C sounds familiar because it mentions AssumeRoleWithSAML, which we practiced in a similar question about access management.

upvoted 0 times

...

Fabiola

5 months ago

I remember we discussed the importance of having a break glass user, but I’m not sure if it should be an IAM user or a role.

upvoted 0 times

...

Helene

5 months ago

Hmm, this is a tricky one. I want to make sure I fully understand all the details before selecting any answers. I'll need to carefully read through each option and think about how it addresses the specific needs around the break glass user, logging, and security team requirements. I don't want to rush into this, so I'll take my time and try to arrive at the two best solutions.

upvoted 0 times

...

Launa

5 months ago

This question is right up my alley. I've worked with similar SAML and break glass scenarios before. I'm pretty confident that options A and C are the way to go here. Creating a dedicated break glass IAM user or role, with comprehensive logging and monitoring, is exactly what the company needs to meet their requirements. I'll select those two without hesitation.

upvoted 0 times

...

Whitley

5 months ago

Okay, I think I've got this. The key is to create a break glass user that the security team can access, and make sure all their activities are logged and sent to the security team. Options A and C look like they cover those bases - creating a break glass IAM user or role, and using CloudTrail and EventBridge to monitor and notify on their actions. I'll go with those two.

upvoted 0 times

...

Andrew

5 months ago

I'm a bit confused by this question. There are a lot of moving parts with the SAML federation, immutable infrastructure, and break glass user requirements. I'll need to read through the options carefully and make sure I understand how each one addresses the problem. Hopefully I can narrow it down to the two best solutions.

upvoted 0 times

...

Elke

5 months ago

This seems like a tricky question, but I think I have a good strategy. I'll focus on the key requirements - creating a break glass user, logging their activities, and sending the logs to a security team. I'll carefully review the options and try to find the two that best meet those needs.

upvoted 0 times

...

Mayra

5 months ago

I'm feeling pretty confident about this one. I'll start by inspecting the HTML and then try to match the correct JavaScript statement to the desired outcome.

upvoted 0 times

...

Celestine

5 months ago

This seems straightforward enough. I'll go through the options and see which ones match the error message and the requirements for exporting XML data in Excel.

upvoted 0 times

...

Bea

5 months ago

Okay, I think I've got this. The key is that the hardware is functioning properly and the intent log is valid. That means the mount command should automatically perform an intent log replay.

upvoted 0 times

...

Carman

5 months ago

This is a good opportunity to demonstrate my attention to detail. I'll be sure to thoroughly review the customer specs and create a label that aligns with their exact needs.

upvoted 0 times

...

Abel

5 months ago

We practiced forward contracts in class, and I think the no-arbitrage pricing involves adjusting the spot rate using the risk-free rates of both currencies.

upvoted 0 times

...

Wava

2 years ago

Option E could be an interesting solution. Using Systems Manager Session Manager to grant access and then filtering the CloudTrail logs based on that could be a good way to log the break glass user's activities. I'd want to make sure the SNS notifications are set up properly, though.

upvoted 0 times

...

Stevie

2 years ago

I'm not a big fan of option D. Creating local break glass IAM users on each instance and using unrestricted security groups seems like a security nightmare waiting to happen. I'd want to avoid that if possible.

upvoted 0 times

...

Danica

2 years ago

Haha, nice one! But you're right, we do need to focus on the actual solutions here. I think options C and E are the strongest contenders, but we'll need to carefully consider the pros and cons of each approach.

upvoted 0 times

...

Rebbeca

2 years ago

This is a tricky question. The company needs a specialized break glass user to access the workload AWS account, but they also need to log any activities of this user and send the logs to a security team. I'm not sure which combination of solutions is the best fit.

upvoted 0 times

...