ISC2 Certified Cloud Security Professional (CCSP) Practice Question
A company is moving its financial reporting application to a public IaaS provider. A security policy states that:
All human administrators must use multi-factor authentication (MFA).
No long-lived secret keys may be stored in source-code repositories or build pipelines. Currently, the on-premises CI/CD server uploads application images to the cloud by exporting an access key and secret key that belong to an administrator-level account. Which change will BEST satisfy the policy with minimal modification to the existing pipeline scripts?
Store the existing administrator access key and secret key in a managed secrets vault service and have the pipeline retrieve them programmatically during each run.
Replace the existing administrator account with a new IAM user that enforces virtual MFA and use its access key and secret key in the pipeline.
Create a dedicated IAM role for the upload task and have the pipeline call the cloud provider's Security Token Service to assume that role and obtain temporary credentials at run time.
Keep the current access key but enable an automatic rotation policy so that the key pair is changed every 30 days and updated in the pipeline variables.
Replacing the long-lived administrator access key with an IAM role that the pipeline assumes through the provider's Security Token Service eliminates the need to store permanent credentials in code and issues time-bound keys instead. The administrator who configures the role can be protected with MFA, and the CI/CD job simply calls the AssumeRole API to obtain temporary credentials before each upload. Rotating or vaulting long-lived keys still violates the policy, and creating more MFA-protected IAM users does not remove the underlying need to embed static secrets.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an IAM role, and how does it differ from an IAM user?
Open an interactive chat with Bash
What is the cloud provider's Security Token Service (STS), and why is it used?
Open an interactive chat with Bash
What are the benefits of avoiding long-lived credentials in cloud environments?
Open an interactive chat with Bash
ISC2 Certified Cloud Security Professional (CCSP)
Cloud Platform & Infrastructure Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .