A Security Administrator at a university is configuring a fleet of Amazon EC2 instances. The EC2 instances are shared among students, and non-root SSH access is allowed. The Administrator is concerned about students attacking other AWS account resources by using the EC2 instance metadata service.
What can the Administrator do to protect against this potential attack?
A . Disable the EC2 instance metadata service.
B . Log all student SSH interactive session activity.
C . Implement ip tables-based restrictions on the instances.
D . Install the Amazon Inspector agent on the instances.
Answer: A
Explanation:
"To turn off access to instance metadata on an existing instance….."
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html You can disable the service for existing (running or stopped) ec2 instances.
https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-instance-metadata-options.html
Leave a Reply