ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
While reviewing CloudTrail logs in the SIEM, you see that an IAM user generated 240 ConsoleLogin failure events within 45 seconds. Five seconds later, a successful ConsoleLogin from the same source IP is followed immediately by an IAM CreateAccessKey API call. No other users show similar behavior. Based on this event data, which conclusion is most appropriate?
An AWS service health issue caused the failures; the subsequent access-key creation is unrelated to any malicious activity.
The account was probably brute-forced, and the attacker is creating a new access key to maintain persistent access.
The user is running an automated credential-rotation script, so the events are expected and no action is required.
The pattern results from AWS regional console replication delays and can safely be ignored as benign.
A burst of repeated failed ConsoleLogin attempts suggests a brute-force or credential-stuffing attempt. The near-instantaneous successful login from the same IP, immediately followed by creation of a new access key, matches a common attacker workflow: compromise an account and then establish persistence by generating long-lived credentials. Routine key rotation would not normally be preceded by hundreds of failed logins, AWS regional replication does not produce ConsoleLogin failures, and service-side issues do not trigger CreateAccessKey events. Therefore, the analyst should assume the account is likely compromised and treat the activity as an incident.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is CloudTrail, and how does it help monitor activity in AWS?
Open an interactive chat with Bash
What is an IAM CreateAccessKey API call, and why is it significant?
Open an interactive chat with Bash
What steps should be taken if an account is suspected to be compromised?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Risk Identification, Monitoring and Analysis
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .