Which solution will meet these requirements?

By:
In: SCS-C01
Tagged:
With: 1 Comment
A security engineer receives an abuse report email message from the AWS Trust and Safety team.The abuse report identifies a resource that appears to be compromised.The abuse report indicates that the resource is an IAM access key that belongs to a DevOps engineer in the security engineer’s company.The access key is used in a deployment system that uses AWS Lambda functions to launch AWS CloudFormation stacks.The security engineer must address the abuse report, prevent any further use of the exposed access key, and implement security best practices.

Which solution will meet these requirements?

Locate the compromised IAM access key and deactivate or delete the key. Generate new access keys for the Lambda deployment process. Apply the new keys to the deployment system. In the account that contained the compromised key, create a new support case in AWS Support to detail these remediation steps.

Delete or deactivate the compromised IAM access key. Discontinue the use of IAM access keys. Create a new IAM role for the Lambda deployment process. Apply the IAM role to the deployment system Lambda functions. Respond directly to the abuse report message to detail these remediation steps.

Locate the compromised IAM access key. Delete the IAM user that is associated with the access key. Generate a new access key. Store the new key as an AWS Secrets Manager secret. Encrypt the secret with an AWS Key Management Service (AWS KMS) customer managed key. Update the Lambda functions to retrieve the access key from AWS Secrets Manager at runtime. In the account that contained the compromised key, create a new support case in AWS Support to detail these remediation steps.

Delete or deactivate the compromised IAM access key. Generate and store a new access key as an environmental variable within the configuration of the deployment system’s Lambda functions. Respond directly to the abuse report message to detail these remediation steps.

Explanations:

While deactivating the key and generating a new one is necessary, creating a support case and applying new keys to the system without addressing security best practices (e.g., using IAM roles instead of access keys) is inadequate for long-term security.

This option deactivates the compromised key and eliminates the use of IAM access keys by replacing them with an IAM role for Lambda, which is a security best practice for service-to-service communication. Responding to the abuse report is appropriate.

Deleting the IAM user and using AWS Secrets Manager to store the key introduces unnecessary complexity. Storing access keys in Secrets Manager, while secure, is less optimal than using an IAM role, which provides better security for Lambda functions.

Storing the new access key as an environment variable within the Lambda functions is insecure as it exposes the key within the Lambda configuration. It is better to use IAM roles for such tasks to avoid manual key management.

2025-10-16

1 Comment

  1. Jesse
    Author

    I rank that the answer is:
    Delete or deactivate the compromised IAM access key. Discontinue the use of IAM access keys. Create a new IAM role for the Lambda deployment process. Apply the IAM role to the deployment system Lambda functions. Respond directly to the abuse report message to detail these remediation steps.

Leave a Reply to Jesse Cancel reply

Your email address will not be published. Required fields are marked *

2 × 4 =