AWS Certified Security – Specialty (SCS-C02) — Question 258

A company is migrating its Amazon EC2 based applications to use Instance Metadata Service Version 2 (IMDSv2). A security engineer needs to determine whether any of the EC2 instances are still using Instance Metadata Service Version 1 (IMDSv1).

What should the security engineer do to confirm that the IMDSv1 endpoint is no longer being used?

Answer options

• A. Configure logging on the Amazon CloudWatch agent for IMDSv1 as part of EC2 instance startup. Create a metric filter and a CloudWatch dashboard. Track the metric in the dashboard.
• B. Create an Amazon CloudWatch dashboard. Verify that the EC2:MetadataNoToken metric is zero across all EC2 instances. Monitor the dashboard.
• C. Create a security group that blocks access to HTTP for the IMDSv1 endpoint. Attach the security group to all EC2 instances.
• D. Configure user data scripts for all EC2 instances to send logging information to AWS CloudTrail when IMDSV1 is used. Create a metric filter and an Amazon CloudWatch dashboard. Track the metric in the dashboard.

Correct answer: B

Explanation

The correct answer is B because monitoring the EC2:MetadataNoToken metric allows the engineer to confirm that no requests are being made to the IMDSv1 endpoint. Option A involves unnecessary logging, while C could disrupt normal operations by blocking IMDSv1 access without confirming usage. Option D also adds complexity without directly addressing the verification of IMDSv1 usage.