AWS Certified Security – Specialty — Question 51

A Security Administrator at a university is configuring a fleet of Amazon EC2 instances. The EC2 instances are shared among students, and non-root SSH access is allowed. The Administrator is concerned about students attacking other AWS account resources by using the EC2 instance metadata service.
What can the Administrator do to protect against this potential attack?

Answer options

• A. Disable the EC2 instance metadata service.
• B. Log all student SSH interactive session activity.
• C. Implement iptables-based restrictions on the instances.
• D. Install the Amazon Inspector agent on the instances.

Correct answer: C

Explanation

Implementing iptables-based restrictions on the instances is the correct approach as it allows the Administrator to control and limit network access to the metadata service, thereby reducing the risk of unauthorized access to AWS account resources. Disabling the metadata service entirely could hinder necessary functionality, while logging SSH sessions does not prevent attacks. Installing the Amazon Inspector agent is useful for vulnerability assessments but does not directly address the immediate concern of metadata service access.