AWS Certified Security – Specialty — Question 57

A Developer's laptop was stolen. The laptop was not encrypted, and it contained the SSH key used to access multiple Amazon EC2 instances. A Security
Engineer has verified that the key has not been used, and has blocked port 22 to all EC2 instances while developing a response plan.
How can the Security Engineer further protect currently running instances?

Answer options

• A. Delete the key-pair key from the EC2 console, then create a new key pair.
• B. Use the modify-instance-attribute API to change the key on any EC2 instance that is using the key.
• C. Use the EC2 RunCommand to modify the authorized_keys file on any EC2 instance that is using the key.
• D. Update the key pair in any AMI used to launch the EC2 instances, then restart the EC2 instances.

Correct answer: C

Explanation

The correct answer is C because using EC2 RunCommand allows the Security Engineer to directly modify the authorized_keys file on the running instances, which is essential to revoke access from the compromised key. Option A is ineffective as deleting the key-pair does not impact running instances. Option B is incorrect because modifying instance attributes does not change the SSH keys on already running instances. Option D is not applicable since updating the AMI does not affect existing instances until they are restarted, which would not immediately secure them.