Q99 — AWS SCS-C02 Ch.1
Question 99 of 100 | ← Chapter 1
A security engineer recently rotated all IAM access keys in an AWS account. The security engineer then configured AWS Config and enabled the following AWS Config managed rules: mfa-enabled-for-iam-console-access, iam-user-mfa-enabled, access-keys-rotated, and iam-user-unused-credentials-check. The security engineer notices that all resources are displaying as noncompliant after the IAM GenerateCredentialReport API operation is invoked. What could be the reason for the noncompliant status?
- A. The IAM credential report was generated within the past 4 hours.   ✓
- B. The security engineer does not have the GenerateCredentialReport permission.  
- C. The security engineer does not have the GetCredentialReport permission.  
- D. The AWS Config rules have a Maximum ExecutionFrequency value of 24 hours.
Correct Answer: A. The IAM credential report was generated within the past 4 hours.  
Explanation
AWS Config规则评估依赖于资源数据的更新时效性。IAM凭证报告生成后可能需要最多4小时才能反映最新更改结果。AWS文档指出,使用GenerateCredentialReport API生成的凭证报告存在最长4小时的数据延迟。若此时立即调用API生成的报告尚未包含最新的密钥轮换信息,AWS Config规则基于旧数据评估导致显示不合规。选项A正确反映了该机制;选项D的执行频率默认24小时并非直接原因,权限问题B/C与能否生成报告无关。