While supporting a hybrid workforce, a developer accidentally committed a cloud access key to a public repository. Logs show the key was used from an unfamiliar IP. What should be done first? During eradication, which decision is most defensible? which evidence should guide the decision?
The exposed credential must be invalidated and its use scoped through audit logs. In eradication, responders need action that reduces risk while preserving the investigation record.
Why this answer
The correct first step is to disable or rotate the compromised cloud access key and review actions performed with it. This immediately revokes the attacker's access, preventing further unauthorized use, while the review of logs and API calls determines the scope of the breach. Waiting or blocking the developer's laptop does not address the exposed credential or the active threat from the unfamiliar IP.
Exam trap
Cisco often tests the principle of immediate containment over investigation or blame; the trap here is choosing a delay tactic (Option A) or a non-technical, irrelevant action (Option C) instead of the direct, credential-focused containment step.
How to eliminate wrong answers
Option A is wrong because waiting to see whether charges increase is a passive, reactive approach that allows the attacker continued access, potentially leading to data exfiltration, resource abuse, and escalating costs. Option C is wrong because blocking the developer's laptop from Wi-Fi does not revoke the compromised cloud access key; the key can still be used from any other device or IP, and this action does not address the root cause or the ongoing threat.