Answer-first summary for fast verification
Answer: Create a break glass IAM role for the account. Allow security team members to perform the AssumeRoleWithSAML operation. Create an AWS CloudTrail trail that has Amazon CloudWatch Logs turned on. Use Amazon EventBridge to monitor security team activities., Configure AWS Systems Manager Session Manager for Amazon EC2. Configure an AWS CloudTrail filter based on Session Manager. Send the results to an Amazon Simple Notification Service (Amazon SNS) topic.
The correct options are C and E. To meet the requirements of creating a break glass user and logging their activities, creating a break glass IAM role (C) allows security team members to assume the role when needed. This solution also supports the setup of an AWS CloudTrail trail that has Amazon CloudWatch Logs turned on to monitor the activities. Option E, configuring AWS Systems Manager Session Manager for EC2, ensures secure access without the need for direct human access to the instances. Additionally, setting up a CloudTrail filter and sending results to an SNS topic ensures that all actions are transparently monitored and reported to the security team. Therefore, these options together fulfill the requirement of creating a break glass user mechanism with appropriate logging and monitoring.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company employs SAML federation for user access to AWS accounts. Their workload, hosted in a separate AWS account, operates on immutable infrastructure without direct human access to Amazon EC2 instances. In the event of SAML errors, a designated 'break glass' user is required to access the workload account and instances. An audit revealed the absence of such a user in the workload account. The company needs to establish this user and ensure all their activities are logged and reported to the security team. Which two solutions would effectively meet these requirements?
A
Create a local individual break glass IAM user for the security team. Create a trail in AWS CloudTrail that has Amazon CloudWatch Logs turned on. Use Amazon EventBridge to monitor local user activities.
B
Create a break glass EC2 key pair for the AWS account. Provide the key pair to the security team. Use AWS CloudTrail to monitor key pair activity. Send notifications to the security team by using Amazon Simple Notification Service (Amazon SNS).
C
Create a break glass IAM role for the account. Allow security team members to perform the AssumeRoleWithSAML operation. Create an AWS CloudTrail trail that has Amazon CloudWatch Logs turned on. Use Amazon EventBridge to monitor security team activities.
D
Create a local individual break glass IAM user on the operating system level of each workload instance. Configure unrestricted security groups on the instances to grant access to the break glass IAM users.
E
Configure AWS Systems Manager Session Manager for Amazon EC2. Configure an AWS CloudTrail filter based on Session Manager. Send the results to an Amazon Simple Notification Service (Amazon SNS) topic.