ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 440 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 440
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company uses AWS Organizations. According to compliance requirements, the company’s applications that are hosted on Amazon EC2 instances must never use IAM credentials from Instance Metadata Service Version 1 (IMDSv1).

What should a security engineer do to meet this requirement?

  • A. Create a security group that denies access on HTTP to 169.254.169.254. Attach this security group to all EC2 instances.
  • B. Deactivate all access to IMDSv1 through the instance metadata options when using the AWS CLI, AWS API, or AWS Management Console to launch an EC2 instance.
  • C. Attach the following SCP to the root OU in AWS Organizations:


  • D. Attach the following SCP to the root OU in AWS Organizations:

Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by Fyssy at Nov. 20, 2022, 10:21 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Balki
Highly Voted 2 years, 4 months ago
Selected Answer: D
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html#iam-example-instance-metadata-require-roles-to-use-IMDSv2-credentials Role Credentials is the key word
upvoted 6 times
...
landsamboni
Highly Voted 2 years, 4 months ago
Selected Answer: D
C option won't affect existing EC2 instances, so the correct answer is D.
upvoted 6 times
...
kejam
Most Recent 1 year, 5 months ago
Selected Answer: D
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_ec2.html#example-ec2-2
upvoted 1 times
...
Mehdi_ahmednacer
1 year, 11 months ago
C https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-transition-to-version-2.html
upvoted 1 times
Mehdi_ahmednacer
1 year, 11 months ago
After reading different comment. i'm sure is D. C and D address the same issue. However, D addresses the issue in case EC2 instance is already running (the case of this question). While, C prevents provisioning new instances with IMDSv1
upvoted 1 times
...
...
examtopics_dummy
2 years, 2 months ago
Selected Answer: D
Based on https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html C is Require the use of IMDSv2 D is Require role credentials to be retrieved from IMDSv2 C stops us from starting a new instance but the question asks for "must never use IAM credentials from Instance Metadata Service Version 1 (IMDSv1)" Thus D must be correct as it "specifies that if this policy is applied to a role, and the role is assumed by the EC2 service and the resulting credentials are used to sign a request, then the request must be signed by EC2 role credentials retrieved from IMDSv2. Otherwise, all of its API calls will get an UnauthorizedOperation error. This statement/policy can be applied generally because, if the request is not signed by EC2 role credentials, it has no effect."
upvoted 4 times
...
D2
2 years, 5 months ago
C and D address the issue. However, D addresses the issue in case EC2 instance is already running. C prevents provisioning new instances with IMDSv1 https://summitroute.com/blog/2020/03/25/aws_scp_best_practices/#require-the-use-of-imdsv2
upvoted 4 times
landsamboni
2 years, 4 months ago
So it's D.
upvoted 2 times
...
...
Fyssy
2 years, 5 months ago
Selected Answer: C
C is the answer
upvoted 1 times
Teknoklutz
2 years, 3 months ago
Provide the reason
upvoted 2 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago