ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
A company uses AWS IAM Identity Center (AWS SSO) to grant employees access to multiple AWS accounts that host sensitive customer data. User identities originate in the HR system, which updates an on-premises Active Directory (AD). Recently, auditors found that some former employees could still sign in for several hours or days after their termination because administrators had to disable the accounts manually. Which approach will BEST minimize the time a departed employee retains access while also reducing ongoing administrative effort?
Enable CloudTrail log monitoring and send weekly reports of inactive users to the security team for manual review and removal.
Implement an HR-driven identity-governance workflow that uses a SCIM connector to automatically disable the user in AWS IAM Identity Center and revoke active sessions as soon as the HR record changes to terminated.
Require managers to submit a help-desk ticket on the employee's last day so administrators can manually delete the user from AD and AWS accounts.
Reduce IAM user password-expiration time to seven days so any credentials remaining after departure will become unusable quickly.
Automating de-provisioning is the most effective way to close the window between a user's termination and loss of access. Integrating the HR source of truth with AWS IAM Identity Center by using the SCIM protocol allows user status changes in the HR system (or the connected AD) to flow automatically to AWS. When the HR record is marked terminated, the SCIM connector immediately disables the corresponding Identity Center account, revokes active sessions within the allowed token grace period (typically less than 60 minutes), and removes role and group assignments-eliminating manual steps and greatly reducing risk. Shortening password-expiration periods, adding MFA, or relying on managers to open tickets still leave manual or time-based gaps and do not guarantee that all credentials and sessions are promptly revoked.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a SCIM connector in identity management?
Open an interactive chat with Bash
How does AWS IAM Identity Center handle session revocation?
Open an interactive chat with Bash
Why isn't shortening password expiration time a viable solution for de-provisioning?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Access Controls
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .