jjenkyn
If an attacker has your access and secret key, they likely have used STS to get a session by assuming role. You need to invalidate that session too after disabling their access key. Not sure if this is in the exam, but a crucial middle step in Incident Response for key compromise.
https://docs.aws.amazon.com/IAM/latest/UserGuide//id_roles_use_revoke-sessions.html
Again see AWS-IR here: https://github.com/ThreatResponse/aws_ir
Good suggestion. Link is https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html
Ha. The message board system thinks the underscores are markdown for italics… Can’t fix in my post.