How can this be accomplished?

By:
In: SCS-C01
Tagged:
With: 1 Comment
A Security Engineer must design a solution that enables the incident Response team to audit for changes to a user’s IAM permissions in the case of a security incident.

How can this be accomplished?

Use AWS Config to review the IAM policy assigned to users before and after the incident.

Run the GenerateCredentialReport via the AWS CLI, and copy the output to Amazon S3 daily for auditing purposes.

Copy AWS CloudFormation templates to S3, and audit for changes from the template.

Use Amazon EC2 Systems Manager to deploy images, and review AWS CloudTrail logs for changes.

Explanations:

AWS Config can track changes to IAM policies and user permissions, making it an effective tool to audit changes before and after an incident.

TheGenerateCredentialReportprovides a snapshot of IAM users’ credentials, but it does not capture real-time changes to IAM permissions or track policy changes.

AWS CloudFormation templates only manage infrastructure deployment, and changes to IAM permissions via these templates aren’t sufficient for auditing user permissions.

EC2 Systems Manager is used for managing EC2 instances, not for tracking IAM permission changes. CloudTrail logs provide some insight, but AWS Config is the better solution.

2025-10-09

1 Comment

  1. Jacob
    Author

    I deduce that the answer is:
    Use AWS Config to review the IAM policy assigned to users before and after the incident.

Leave a Reply to Jacob Cancel reply

Your email address will not be published. Required fields are marked *

11 − eleven =