Exam AWS Certified Security - Specialty topic 1 question 96 discussion

C is correct , disabling the instance metadata means you killed the assume role in the instance profile which is included in the metadata and caused major issues

A is the best answer here. "To turn off access to instance metadata on an existing instance....." https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html You can disable the service for existing (running or stopped) ec2 instances. https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-instance-metadata-options.html

C. Implement iptables-based restrictions Could block access to metadata service IP (169.254.169.254) Potentially effective but can be bypassed if students have sufficient privileges Less reliable than disabling IMDS completely ✗ Not the most effective solutionThe correct answer is A: Disable the EC2 instance metadata service. This is the most effective solution because: It completely eliminates the attack vector It's a preventive rather than detective control It's the most reliable way to ensure students can't access instance metadata Other options either don't address the specific threat or provide incomplete protection.

"non-root SSH access"..fine, then use iptables to block access to IMDS! No reason to disable IMDS, which will impact instance profiles (if needed).

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html

A is correct. The question does NOT mention any requirement that IMDS will be used. If it mentioned that other processes in the Linux host would still need to connect to AWS, then the answer would be C, but that is not the case.

A is Correct

AWS security best practice is to use the iptables firewall to restrict access to the metadata service. C Source: https://d1.awsstatic.com/events/reinvent/2019/Security_best_practices_for_the_Amazon_EC2_instance_metadata_service_SEC310.pdf

if we look at another pov, could the question be saying that the admin is making use of EC2 fleets? if so you can't disable IMDS

Answer is C. NOT A. Because "If you turn off all access to instance metadata, applications or agents that rely on instance metadata access to function will break." Refer Note from following AWS Doc: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-options.html

it is possible to disable metadata service: https://geekflare.com/disable-aws-ec2-metadata/

C is correct you can set firewall rules to block access to meta data iptables -l ==> to check the existing rules iptables -- append OUTPUT --proto tcp --destination 169.254.169.254 --match owner ! --uid-owner root --jump REJECT ==> this will only allow root to access meta data

Let’s now disable IMDS as part of instance launch: aws ec2 modify-instance-metadata-options –instance-id <instance-id> –http-endpoint disabled While the first script needs IMDS available at all times, the secure script will work without it. A good practice is to disable the IMDS as part of Instance’s User data. IMDS should be disabled by default. Only those authorized will open the service, by demand. Hence marking Answer as A

C is correct for Linux boxes but A is easier and applicable to all type of instances. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-options.html

It seems option A and C works is this situation. The question is, do we need the instance metadata enable? If so, option A is not an option and option C is the answer. In my opinion, the instance metadata is not need in order to avoid access to other AWS resources, so why would we implement iptables if we can just disable metadata service? Option A.

A is the answer

Limit instance metadata service access You can consider using local firewall rules to disable access from some or all processes to the instance metadata service.