AWS Certified Security – Specialty — Question 406

A company is migrating its Amazon EC2 based applications to use Instance Metadata Service Version 2 (IMDSv2). A security engineer needs to determine whether any of the EC2 instances are still using Instance Metadata Service Version 1 (IMDSv1).

What should the security engineer do to confirm that the IMDSv1 endpoint is no longer being used?

Answer options

• A. Configure logging on the Amazon CloudWatch agent for IMDSv1 as part of EC2 instance startup. Create a metric filter and a CloudWatch dashboard. Track the metric in the dashboard.
• B. Create an Amazon CloudWatch dashboard. Verify that the EC2:MetadataNoToken metric is zero across all EC2 instances. Monitor the dashboard.
• C. Create a security group that blocks access to HTTP for the IMDSv1 endpoint. Attach the security group to all EC2 instances.
• D. Configure user data scripts for all EC2 instances to send logging information to AWS CloudTrail when IMDSv1 is used. Create a metric filter and an Amazon CloudWatch dashboard. Track the metric in the dashboard.

Correct answer: B

Explanation

The EC2:MetadataNoToken CloudWatch metric tracks the number of times the instance metadata service was called without a token, which is a direct indicator of IMDSv1 usage. By monitoring this metric and ensuring it remains at zero, a security engineer can confirm that no instances are using IMDSv1. Other methods, such as using security groups, are ineffective because security groups cannot block local loopback traffic to the link-local metadata address (169.254.169.254).