ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified DevOps Engineer - Professional DOP-C02 All Questions

View all questions & answers for the AWS Certified DevOps Engineer - Professional DOP-C02 exam
Go to Exam

Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 345 discussion

Exam question from Amazon's AWS Certified DevOps Engineer - Professional DOP-C02
Question #: 345
Topic #: 1
[All AWS Certified DevOps Engineer - Professional DOP-C02 Questions]

A company uses an organization in AWS Organizations that has all features enabled to manage its AWS accounts. Amazon EQ instances run in the AWS accounts.

The company requires that all current EC2 instances must use Instance Metadata Service Version 2 (IMDSv2). The company needs to block AWS API calls that originate from EC2 instances that do not use IMDSv2.

Which solution will meet these requirements?

  • A. Create a new SCP statement that denies the ec2:RunInstances action when the ec2:MetadataHttpTokens condition key is not equal to the value of required. Attach the SCP to the root of the organization.
  • B. Create a new SCP statement that denies the ec2:RunInstances action when the ec2:MetadataHttpPutResponseHopLimit condition key value is greater than two. Attach the SCP to the root of the organization.
  • C. Create a new SCP statement that denies "*" when the ec2:RoleDelivery condition key value is less than two. Attach the SCP to the root of the organization.
  • D. Create a new SCP statement that denies when the ec2:MetadataHttpTokens condition key value is not equal to required. Attach the SCP to the root of the organization.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by uncledana at Nov. 19, 2024, 11:07 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Impromptu
Highly Voted 5 months, 1 week ago
Selected Answer: D
I think it's D. It must indeed use the ec2:MetadataHttpTokens condition key, but if we only deny the ec2:RunInstances, then the already running EC2 instances can still do AWS API calls. Even if they are not using IMDSv2.
upvoted 6 times
...
teo2157
Highly Voted 4 months, 2 weeks ago
Selected Answer: D
Going for D, as A just enforce that the new EC2 instances to use IMDSv2 but there can be old instances not running IDMSv2 that can still do API calls...
upvoted 6 times
...
Srikantha
Most Recent 3 weeks, 6 days ago
Selected Answer: A
Service Control Policies (SCPs) allow you to control which actions are allowed or denied across an entire organization or specific organizational units (OUs) in AWS Organizations. The ec2:MetadataHttpTokens condition key is used to enforce IMDSv2. Setting the value of required ensures that the EC2 instances launched must use IMDSv2, as IMDSv1 would be denied. By denying ec2:RunInstances when the IMDSv2 condition is not met, you are enforcing the policy for all EC2 instances launched, preventing the creation of instances without IMDSv2.
upvoted 1 times
...
DKM
1 month, 1 week ago
Selected Answer: A
This Service Control Policy (SCP) ensures that any attempt to launch EC2 instances without using IMDSv2 will be denied. By attaching this SCP to the root of the organization, it will apply to all accounts within the organization, ensuring compliance across the board. Here is an example of the SCP statement: { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "ec2:RunInstances", "Resource": "*", "Condition": { "StringNotEquals": { "ec2:MetadataHttpTokens": "required" } } } ] }
upvoted 1 times
...
DKM
1 month, 1 week ago
Selected Answer: A
Here's why: Service Control Policies (SCPs): SCPs allow you to set permission guardrails for all accounts in your organization. By creating an SCP that denies the ec2:RunInstances action when the ec2:MetadataHttpTokens condition key is not set to required, you ensure that only instances configured to use IMDSv2 can be launched1. Condition Key: The ec2:MetadataHttpTokens condition key ensures that the instance metadata service requires the use of IMDSv21. This approach enforces the use of IMDSv2 across all EC2 instances in the organization, enhancing security by preventing the use of the less secure IMDSv1.
upvoted 1 times
...
CHRIS12722222
4 months ago
Selected Answer: D
Option A will prevent creating ec2 instances, allowing existing ones to violate policy
upvoted 4 times
...
uncledana
5 months, 2 weeks ago
Selected Answer: A
Option A provides the correct solution by using the ec2:MetadataHttpTokens condition key in an SCP to deny the ec2:RunInstances action for instances that do not have IMDSv2 enabled. This is the most effective way to ensure compliance with the company’s requirement.
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago