AWS Certified Security – Specialty — Question 89

A company had one of its Amazon EC2 key pairs compromised. A Security Engineer must identify which current Linux EC2 instances were deployed and used the compromised key pair.
How can this task be accomplished?

Answer options

• A. Obtain the list of instances by directly querying Amazon EC2 using: aws ec2 describe-instances --filters "Name=key- name,Values=KEYNAMEHERE".
• B. Obtain the fingerprint for the key pair from the AWS Management Console, then search for the fingerprint in the Amazon Inspector logs.
• C. Obtain the output from the EC2 instance metadata using: curl http://169.254.169.254/latest/meta-data/public-keys/0/.
• D. Obtain the fingerprint for the key pair from the AWS Management Console, then search for the fingerprint in Amazon CloudWatch Logs using: aws logs filter-log-events.

Correct answer: A

Explanation

The correct answer is A because using the AWS CLI command allows for a direct query to obtain the specific instances that utilized the compromised key pair. Option B is incorrect as Amazon Inspector logs do not track this information, while C and D do not provide a reliable method to identify instances associated with a specific key pair.