ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
A company manages employees and short-term contractors in an external identity governance platform recording each person's start and end dates. All workloads run in a single AWS account where users currently sign in with IAM credentials. The security team must ensure that a contractor's console and API access are automatically revoked on the contract end date with minimal ongoing effort. Which approach best meets these requirements?
Place contractor IAM accounts in a dedicated AWS Organizations OU governed by a deny-all service control policy that administrators activate when contracts expire.
Integrate the identity governance platform with AWS IAM Identity Center by enabling SCIM-based automatic user and group provisioning and de-provisioning.
Run a daily AWS Lambda function that downloads the IAM credential report, checks user tags for end dates, and disables any expired users and keys.
Require all IAM users to rotate their access keys every 90 days and rely on key expiration to restrict access after contracts end.
Integrating the HR-backed identity platform with AWS IAM Identity Center (formerly AWS SSO) by using the System for Cross-Domain Identity Management (SCIM) protocol off-loads the entire provisioning and de-provisioning workflow to the managed service. When the HR system flags that a contractor's employment has ended, the SCIM connector automatically removes the corresponding user and group assignments in IAM Identity Center, which in turn revokes console sign-in and invalidates any associated AWS credentials-without requiring custom code or manual reviews.
Scheduling a Lambda function to parse credential reports still leaves the organization responsible for writing and maintaining custom logic, increasing operational overhead. Automatic key rotation merely ages out access keys but leaves console passwords and active sessions untouched. Service control policies apply at the AWS Organizations level and do not delete or disable individual IAM principals; they would also require administrative updates for each departing contractor. Therefore, leveraging SCIM-based provisioning in IAM Identity Center is the most effective and least operationally intensive solution.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is SCIM and how does it work?
Open an interactive chat with Bash
What is AWS IAM Identity Center used for?
Open an interactive chat with Bash
Why is using Lambda not the best option in this scenario?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Access Controls
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .