ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your company uses Azure AD to federate workforce identities with several AWS accounts through AWS IAM Identity Center (AWS SSO). A few legacy automation scripts still rely on IAM users that possess long-lived access keys. When HR marks an employee as terminated, an automated off-boarding workflow is triggered. Which single action best ensures the former employee can no longer invoke AWS APIs after their Azure AD account is disabled?
Invoke the IAM DeleteAccessKey API to remove every active access key assigned to the user.
Attach an explicit deny policy to the IAM user that blocks all actions except sts:AssumeRole.
Disable the user's Azure AD account so that expired SAML sessions automatically block all AWS access.
Enable CloudTrail Insights to flag any anomalous calls and investigate them manually.
Disabling the Azure AD account immediately stops the user from obtaining new SAML tokens, but it has no effect on any existing IAM access keys that provide direct API access. The most reliable way to block that channel is to remove the keys entirely. Deleting (or at least deactivating) every active access key associated with the IAM user renders any stored credentials useless, eliminating programmatic access without relying on additional monitoring or enforcement mechanisms. Simply attaching a restrictive policy or monitoring CloudTrail generates either residual risk (policies can be changed) or only after-the-fact detection. Therefore, deleting the access keys is the most effective de-provisioning step.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why are IAM access keys necessary for API calls in AWS?
Open an interactive chat with Bash
What is the role of Azure AD in federating identities with AWS IAM Identity Center?
Open an interactive chat with Bash
Why is deleting IAM access keys better than attaching a restrictive policy or monitoring through CloudTrail?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Access Controls
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .