A company uses SAML federation to grant users access to AWS accounts.

Amazon Web Services SCS-C02 Question Answer

A company uses SAML federation to grant users access to AWS accounts. A company workload that is in an isolated AWS account runs on immutable infrastructure with no human access to Amazon EC2. The company requires a specialized user known as a break glass user to have access to the workload AWS account and instances in the case of SAML errors. A recent audit discovered that the company did not create the break glass user for the AWS account that contains the workload.

The company must create the break glass user. The company must log any activities of the break glass user and send the logs to a security team.

Which combination of solutions will meet these requirements?(Select TWO.)

Create a local individual break glass IAM user for the security team. Create a trail in AWS CloudTrail that has Amazon CloudWatch Logs turned on. Use Amazon EventBridge to monitor local user activities.

Create a break glass EC2 key pair for the AWS account. Provide the key pair to the security team. Use AWS CloudTraiI to monitor key pair activity. Send notifications to the security team by using Amazon Simple Notification Service (Amazon SNS).

Create a break glass IAM role for the account. Allow security team members to perform the AssumeRoleWithSAML operation. Create an AWS Cloud Trail trail that has Amazon CloudWatch Logs turned on. Use Amazon EventBridge tomonitor security team activities.

Create a local individual break glass IAM user on the operating system level of each workload instance. Configure unrestricted security groups on the instances to grant access to the break glass IAM users.

Configure AWS Systems Manager Session Manager for Amazon EC2. Configure an AWS Cloud Trail filter based on Session Manager. Send the results to an Amazon Simple Notification Service (Amazon SNS) topic.

Explanation:

The combination of solutions that will meet the requirements are:

A. Create a local individual break glass IAM user for the security team. Create a trail in AWS CloudTrail that has Amazon CloudWatch Logs turned on. Use Amazon EventBridge to monitor local user activities. This is a valid solution because it allows the security team to access the workload AWS account and instances using a local IAM user that does not depend on SAML federation.It also enables logging and monitoring of the break glass user activities using AWS CloudTrail, Amazon CloudWatch Logs, and Amazon EventBridge123.

E. Configure AWS Systems Manager Session Manager for Amazon EC2. Configure an AWS CloudTrail filter based on Session Manager. Send the results to an Amazon Simple Notification Service (Amazon SNS) topic. This is a valid solution because it allows the security team to access the workload instances without opening any inbound ports or managing SSH keys or bastion hosts.It also enables logging and notification of the breakglass user activities using AWS CloudTrail, Session Manager, and Amazon SNS456.

The other options are incorrect because:

B.Creating a break glass EC2 key pair for the AWS account and providing it to the security team is not a valid solution, because it requires opening inbound ports on the instances and managing SSH keys, which increases the security risk and complexity7.

C.Creating a break glass IAM role for the account and allowing security team members to perform the AssumeRoleWithSAML operation is not a valid solution, because it still dependson SAML federation, which might not work in case of SAML errors8.

D.Creating a local individual break glass IAM user on the operating system level of each workload instance and configuring unrestricted security groups on theinstances to grant access to the break glass IAM users is not a valid solution,because it requires opening inbound ports on the instances and managing multiple local users, which increases the security risk and complexity9.

[References:, 1: Creating an IAM Userin Your AWS Account2:Creating a Trail - AWS CloudTrail3: Using Amazon EventBridge with AWS CloudTrail4:Setting up Session Manager - AWS Systems Manager5:Logging Session Manager sessions - AWS Systems Manager6: Amazon Simple Notification Service7: Connecting to your Linux instance using SSH - Amazon Elastic Compute Cloud8: AssumeRoleWithSAML - AWS Security Token Service9: IAM Users - AWS Identity and Access Management, , , , , , ]

Amazon Web Services SCS-C02 View All Questions

Amazon Web Services SCS-C02 Summary

Vendor: Amazon Web Services
Product: SCS-C02
Update on: Aug 2, 2025
Questions: 417

Price: $52.5 ~~$149.99~~

Buy Now SCS-C02 PDF + Testing Engine Pack

A company has AWS accounts in an organization in AWS Organizations.

A company uses Amazon EC2 Linux instances in the AWS Cloud.

Weekend Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: xmasmnth

A company uses SAML federation to grant users access to AWS accounts.

The Answer Is:

Explanation:

Amazon Web Services SCS-C02 Summary

Payments We Accept

Contact Us