You are an AWS security specialist in a company.
You manage multiple AWS accounts and hundreds of IAM users.
You need to keep the AWS credentials (access key IDs and secret access keys) secure. If certain access keys are exposed to the public or compromised, you should get a notification so that immediate actions can be taken.
You need an alert system to keep monitoring the access keys. Which of the following options can quickly achieve the requirements?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: B.
Option A is incorrect because AWS does not provide a daily credential report about our AWS Infrastructure and services alerts.
Option B is CORRECT because the Exposed Access Keys check-in AWS Trusted Advisor can identify potentially leaked or compromised access keys.
When there is an alert, users can take immediate actions to secure the account.
Option C is incorrect because you do not need to maintain a Lambda function for this, and there is no Exposed Access Keys blueprint available.
Option D is incorrect because AWS SQS is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications, but this would not provide alerts in case of access keys being exposed.
Reference:
https://aws.amazon.com/premiumsupport/technology/trusted-advisor/best-practice-checklist/Option C, "Create a Lambda function using the Exposed Access Keys blueprint to monitor the IAM credentials and notify an SNS topic," is the best option for quickly achieving the requirements of monitoring AWS credentials for security purposes.
AWS Lambda is a compute service that allows users to run code without provisioning or managing servers. It's designed to be scalable, cost-effective, and flexible, making it an excellent tool for this use case.
The Exposed Access Keys blueprint is a pre-built AWS Lambda function that scans CloudTrail logs for API calls that involve the creation or modification of IAM access keys. If the function detects any suspicious activity, such as the creation of an access key without a corresponding delete request, it sends a notification to an SNS topic.
SNS (Simple Notification Service) is a fully managed messaging service that enables users to send notifications to subscribers or other AWS services. In this case, the SNS topic will receive the notification from the Lambda function and alert the appropriate individuals or systems, so that they can take immediate action to prevent further damage.
Option A, "AWS provides a daily credential report to the security contact email of the AWS account," is not an optimal solution as it only provides a daily report and does not provide real-time alerts. If a credential is exposed or compromised between the time of the report and when it is received, the company may be vulnerable to an attack.
Option B, "In AWS Trusted Advisor, use the Exposed Access Keys check to identify leaked credentials," is a good tool to help identify exposed keys. However, it does not provide real-time alerts and requires manual intervention to check the report.
Option D, "Use an open-source tool to scan popular code repositories for access keys that have been exposed to the public. Configure an SQS queue to receive the security alerts," is also a good option for identifying exposed keys. However, it requires setting up and maintaining an open-source tool and configuring an SQS queue to receive the security alerts. This option requires more time and resources than option C.