Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam

Exam AWS Certified Security - Specialty topic 1 question 440 discussion

Exam question from Amazon's AWS Certified Security - Specialty

Question #: 440
Topic #: 1

[All AWS Certified Security - Specialty Questions]

A company uses AWS Organizations. According to compliance requirements, the company’s applications that are hosted on Amazon EC2 instances must never use IAM credentials from Instance Metadata Service Version 1 (IMDSv1).

What should a security engineer do to meet this requirement?

A. Create a security group that denies access on HTTP to 169.254.169.254. Attach this security group to all EC2 instances.
B. Deactivate all access to IMDSv1 through the instance metadata options when using the AWS CLI, AWS API, or AWS Management Console to launch an EC2 instance.
C. Attach the following SCP to the root OU in AWS Organizations:
D. Attach the following SCP to the root OU in AWS Organizations:

Show Suggested Answer

Suggested Answer: D 🗳️

by Fyssy at Nov. 20, 2022, 10:21 p.m.

Disclaimers:

- ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
- Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Submit Cancel

Balki

Highly Voted 2 years, 5 months ago

Selected Answer: D

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html#iam-example-instance-metadata-require-roles-to-use-IMDSv2-credentials Role Credentials is the key word

upvoted 6 times

...

landsamboni

Highly Voted 2 years, 5 months ago

Selected Answer: D

C option won't affect existing EC2 instances, so the correct answer is D.

upvoted 6 times

...

kejam

Most Recent 1 year, 6 months ago

Selected Answer: D

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_ec2.html#example-ec2-2

upvoted 1 times

...

Mehdi_ahmednacer

2 years ago

C https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-transition-to-version-2.html

upvoted 1 times

Mehdi_ahmednacer

2 years ago

After reading different comment. i'm sure is D. C and D address the same issue. However, D addresses the issue in case EC2 instance is already running (the case of this question). While, C prevents provisioning new instances with IMDSv1

upvoted 1 times

...

examtopics_dummy

2 years, 3 months ago

Selected Answer: D

Based on https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html C is Require the use of IMDSv2 D is Require role credentials to be retrieved from IMDSv2 C stops us from starting a new instance but the question asks for "must never use IAM credentials from Instance Metadata Service Version 1 (IMDSv1)" Thus D must be correct as it "specifies that if this policy is applied to a role, and the role is assumed by the EC2 service and the resulting credentials are used to sign a request, then the request must be signed by EC2 role credentials retrieved from IMDSv2. Otherwise, all of its API calls will get an UnauthorizedOperation error. This statement/policy can be applied generally because, if the request is not signed by EC2 role credentials, it has no effect."

upvoted 4 times

...

D2

2 years, 6 months ago

C and D address the issue. However, D addresses the issue in case EC2 instance is already running. C prevents provisioning new instances with IMDSv1 https://summitroute.com/blog/2020/03/25/aws_scp_best_practices/#require-the-use-of-imdsv2

upvoted 4 times

landsamboni

2 years, 5 months ago

So it's D.

upvoted 2 times

...

Fyssy

2 years, 6 months ago

Selected Answer: C

C is the answer

upvoted 1 times

Teknoklutz

2 years, 4 months ago

Provide the reason

upvoted 2 times

...