Home › AWS Security › cloudcomputing › scsthreatresponse › After detecting that a long-lived IAM access key…
After detecting that a long-lived IAM access key has been leaked publicly, which response is the CORRECT order under SCS-C02 §1.3?
ADelete the key immediately with no replacement (production outage)
BDisable CloudTrail to hide the leak
CTell the engineer to be more careful next time
DDeactivate the key → rotate (create new + update consumers) → delete the old key after verification
Answer & Solution
Correct answer: D. Deactivate the key → rotate (create new + update consumers) → delete the old key after verification
Deactivate → rotate → verify → delete is the canonical leaked-key playbook (per SCS-C02 §1.1, §1.3). The other options either cause outages or hide incidents.
Related questions
Which AWS feature provides an audit-trail of every IAM principal action across the AWS accWhich AWS service enables 'continuous compliance' by recording resource config changes andWhich AWS service continuously scans EC2 instances and container images for software vulneWhich AWS service lets a responder query large volumes of CloudTrail / VPC Flow / WAF logsWhich AWS service is the canonical event-routing bus that receives Security Hub / GuardDutWhich AWS service automates incident-response runbooks — e.g. 'on compromised credential fWhich AWS feature lets a responder capture an immutable EBS volume snapshot for forensic aAn incident-response team must IMMEDIATELY isolate a suspected-compromised Amazon EC2 inst