A company had one of its Amazon EC2 key pairs compromised. A Security Engineer must identify which current Linux EC2 instances were deployed and used the compromised key pair. How can this task be accomplished?
A.
Obtain the list of instances by directly querying Amazon EC2 using: aws ec2 describe-instances --filters "Name=key- name,Values=KEYNAMEHERE".
B.
Obtain the fingerprint for the key pair from the AWS Management Console, then search for the fingerprint in the Amazon Inspector logs.
C.
Obtain the output from the EC2 instance metadata using: curl http://169.254.169.254/latest/meta-data/public-keys/0/.
D.
Obtain the fingerprint for the key pair from the AWS Management Console, then search for the fingerprint in Amazon CloudWatch Logs using: aws logs filter-log-events.
A seems indeed the most likely answer but I see that :
"key-name : The name of the key pair used when the instance was launched."
What if the compromised key is not the key used when the instance was launched ?
A is correct , if we assume the key-name is know and not changed since its launch . But D is correct if the Cloudtrail sends logs to Cloudwatch and query is used . D is more clean.
Following Command gives an output of ALL EC2 Instances in That REGION, which is having a Particular Key:
aws ec2 describe-instances --filters "Name=key-name, Values=MyKeyPair1" --region ap-southeast-1
If there would have been another option of Cloud Trail Events, then that too captures the Events around those Keys creation, deletion etc. with its associated Instance Id.
Correct Answer is A
Obtain the list of instances by directly querying Amazon EC2 using: aws ec2 describe-instances --filters "Name=key- name,Values=KEYNAMEHERE".
You need to find which servers have compromised key so A is correct.
C will show you as below
[root@ip- ~]# curl http://169.254.169.254/latest/meta-data/public-keys/0/
openssh-key
A - we do not need fingerprint-which is to verify the private key- but just the key name.
Refer to this link on how to show the key name of the EC2.
https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-instances.html
Why C is not correct ?
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html#identify-key-pair-specified-at-launch
The public key that you specified when you launched an instance is also available to you through its instance metadata. To view the public key that you specified when launching the instance, use the following command from your instance:
TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` \
&& curl -H "X-aws-ec2-metadata-token: $TOKEN" –v http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
I found the reason why C is not correct. Above command has to be run from the instance. The question asks for the list of EC2s that was deployed using the compromised the key pair, and command in A can be run from AWS CLI, not from the EC2 instance
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Awraith
Highly Voted 3 years, 6 months agoelmuste
3 years, 6 months agoGustava6272
3 years, 6 months agoNarenG
Highly Voted 3 years, 6 months agodeegadaze1
3 years, 6 months agoRaphaello
Most Recent 1 year, 2 months agomichele_scar
1 year, 11 months agotobedeleted
2 years, 5 months agoKDA33
2 years, 6 months agoRja148393
2 years, 8 months agoRadhaghosh
3 years, 2 months agoHariru
3 years, 5 months agoIMAHM
3 years, 5 months agoChauPhan
3 years, 5 months agoKdosec
3 years, 5 months agoDaniel76
3 years, 6 months agochengxu32
3 years, 6 months agochengxu32
3 years, 6 months agoChauPhan
3 years, 5 months agoerezhazan1
3 years, 6 months agogfhbox0083
3 years, 6 months agoxaccan
3 years, 7 months ago