AWS Certified Security – Specialty (SCS-C02) — Question 152

A company uses user data scripts that contain sensitive information to bootstrap Amazon EC2 instances. A security engineer discovers that this sensitive information is viewable by people who should not have access to it.

What is the MOST secure way to protect the sensitive information used to bootstrap the instances?

Answer options

• A. Store the scripts in the AMI and encrypt the sensitive data using AWS KMS. Use the instance role profile to control access to the KMS keys needed to decrypt the data.
• B. Store the sensitive data in AWS Systems Manager Parameter Store using the encrypted string parameter and assign the GetParameters permission to the EC2 instance role.
• C. Externalize the bootstrap scripts in Amazon S3 and encrypt them using AWS KMS. Remove the scripts from the instance and clear the logs after the instance is configured.
• D. Block user access of the EC2 instance's metadata service using IAM policies. Remove all scripts and clear the logs after the scripts have completed.

Correct answer: B

Explanation

Option B is the best choice as it uses AWS Systems Manager Parameter Store to securely manage sensitive data, ensuring that only the EC2 instance with the appropriate role can access it. Option A is less secure since storing scripts in the AMI might expose them to unauthorized access. Option C, while encrypting scripts, moves sensitive data to S3, which could introduce additional risks. Option D does not address the protection of sensitive information effectively and focuses on access control instead.