ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your company runs multiple AWS accounts under AWS Organizations. The security team aims to remove standing administrator rights yet let on-call engineers get temporary full access during emergencies. Requirements: no long-lived access keys on engineer identities, a 60-minute maximum elevation session, and centralized auditing of every elevation event without additional infrastructure. Which solution best meets these goals?
Create an IAM user called EmergencyAdmin in every account, attach AdministratorAccess, and mandate MFA for console sign-in.
Store a shared set of Administrator access keys in AWS Secrets Manager; grant engineers read access to the secret only when on call.
Enable CloudTrail in all accounts and schedule an AWS Lambda function to attach and remove AdministratorAccess to engineer IAM users on demand.
Create an IAM role with AdministratorAccess, set its maximum session duration to 1 hour, require MFA for AssumeRole, and rely on AWS CloudTrail for logging.
An IAM role that holds AdministratorAccess and is trusted by the engineers' IAM principals satisfies the objectives when combined with MFA and STS-issued temporary credentials. Engineers keep low-privilege IAM identities and use the console or AWS CLI to AssumeRole, which requires MFA and issues credentials that expire after the configured 1-hour session limit. Because the credentials are temporary, no long-lived access keys reside on engineer accounts. AWS CloudTrail automatically records every AssumeRole call and all subsequent actions taken with the role, providing centralized audit logs without extra services.
Incorrect options:
Creating dedicated IAM users with permanent AdministratorAccess leaves standing privileges and persistent access keys.
Attaching and removing AdministratorAccess via automation still produces uncontrolled standing privileges and adds operational complexity; CloudTrail cannot reliably prove when permissions were active.
Storing long-lived admin keys in AWS Secrets Manager retains persistent credentials and does not enforce automatic expiry or guarantee audit of their usage.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is IAM and why is it crucial in AWS?
Open an interactive chat with Bash
How does AWS CloudTrail help with auditing and logging in security?
Open an interactive chat with Bash
What are temporary credentials and why are they better than long-lived access keys?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Access Controls
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .