AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 293

A company uses an organization in AWS Organizations that has all features enabled to manage its AWS accounts. Amazon EQ instances run in the AWS accounts.

The company requires that all current EC2 instances must use Instance Metadata Service Version 2 (IMDSv2). The company needs to block AWS API calls that originate from EC2 instances that do not use IMDSv2.

Which solution will meet these requirements?

Answer options

• A. Create a new SCP statement that denies the ec2:RunInstances action when the ec2:MetadataHttpTokens condition key is not equal to the value of required. Attach the SCP to the root of the organization.
• B. Create a new SCP statement that denies the ec2:RunInstances action when the ec2:MetadataHttpPutResponseHopLimit condition key value is greater than two. Attach the SCP to the root of the organization.
• C. Create a new SCP statement that denies "*" when the ec2:RoleDelivery condition key value is less than two. Attach the SCP to the root of the organization.
• D. Create a new SCP statement that denies when the ec2:MetadataHttpTokens condition key value is not equal to required. Attach the SCP to the root of the organization.

Correct answer: D

Explanation

To block all AWS API calls originating from EC2 instances that do not use IMDSv2, the SCP must deny all actions (Action: "*") when the ec2:MetadataHttpTokens condition key is not set to 'required'. Denying only the ec2:RunInstances action, as in Option A, would only prevent the creation of new non-compliant instances rather than blocking API calls from existing ones. Option B and Option C use incorrect condition keys (ec2:MetadataHttpPutResponseHopLimit and ec2:RoleDelivery) that do not enforce IMDSv2 usage for API calls.