ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
A security administrator must be alerted within minutes whenever the IAM role named "AppServerRole" is deleted or its attached policies are changed. The solution must keep a history of all configuration states for audits and should avoid writing and maintaining custom code. Which solution best meets these requirements?
Rely on AWS Trusted Advisor's IAM checks and subscribe the security team to its weekly report of security recommendations.
Enable AWS Config for IAM resources, create a rule that evaluates AppServerRole on every configuration change, and configure the rule to send an Amazon SNS notification when the role is non-compliant.
Run IAM Access Analyzer continuously and configure it to notify the security team of any findings related to AppServerRole.
Enable AWS CloudTrail and schedule a daily Amazon Athena query that searches for DeleteRole or PutRolePolicy events, then emails the results through Amazon SES.
AWS Config records configuration changes for supported resource types, including IAM roles and their attached policies. By enabling AWS Config and turning on recording for IAM resources, every change to AppServerRole is captured and stored, providing a complete audit trail. A managed or custom AWS Config rule can be created to evaluate the role's configuration on every change; when the rule reports non-compliance (for example, the required policy is missing or the role is deleted), AWS Config can publish an Amazon SNS notification that reaches the security team within minutes. CloudTrail also logs the API calls but does not evaluate compliance; administrators would have to write and maintain custom queries or Lambda functions to detect the events. IAM Access Analyzer focuses on identifying unintended external access, not on tracking all role changes. Trusted Advisor's IAM checks run periodically (often daily or weekly) and therefore cannot meet the near-real-time alerting requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS Config and how does it work?
Open an interactive chat with Bash
How is Amazon SNS used for quick notifications in AWS Config?
Open an interactive chat with Bash
How does AWS Config differ from AWS CloudTrail for monitoring changes?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Access Controls
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .