You are an AWS system administrator in a company. You just received an abuse report from AWS saying that your AWS account may be compromised. You check the account and do not find any unrecognized AWS resources. However, an IAM user (Bob) has an unexpected policy called AWSExposedCredentialPolicy_DO_NOT_REMOVE. You do not want to delete the user as the user is valid. Which of the following actions would you take to address this security issue in the most suitable way?

Answer options:

A.Delete the IAM policy AWSExposedCredentialPolicy_DO_NOT_REMOVE and make sure no IAM users use this unknown policy.
B.Remove all IAM policies assigned to Bob.
C.Delete all the existing IAM users and recreate them with new passwords.
D.Delete the policy and rotate the access keys for the user Bob.

Correct Answer – D
When you receive an abuse report from AWS, you should review the abuse notice to see what content or activity was reported. Details can be found in https://aws.amazon.com/premiumsupport/knowledge-center/aws-abuse-report/ and
https://aws.amazon.com/premiumsupport/knowledge-center/potential-account-compromise/.
Option A is incorrect: Because the IAM user Bob may be compromised. The user may create another IAM policy.
Option B is incorrect: Same reason as
Option A.Option C is incorrect: Because you only need to deal with the IAM users that you didn`t create or are compromised.
Option D is CORRECT: Please check https://aws.amazon.com/premiumsupport/knowledge-center/potential-account-compromise/ for the suggested methods when there are unauthorized activities in an AWS account. You should rotate the access keys in this situation.