Topic 1 Question 345
A company uses an organization in AWS Organizations that has all features enabled to manage its AWS accounts. Amazon EQ instances run in the AWS accounts.
The company requires that all current EC2 instances must use Instance Metadata Service Version 2 (IMDSv2). The company needs to block AWS API calls that originate from EC2 instances that do not use IMDSv2.
Which solution will meet these requirements?
Create a new SCP statement that denies the ec2:RunInstances action when the ec2:MetadataHttpTokens condition key is not equal to the value of required. Attach the SCP to the root of the organization.
Create a new SCP statement that denies the ec2:RunInstances action when the ec2:MetadataHttpPutResponseHopLimit condition key value is greater than two. Attach the SCP to the root of the organization.
Create a new SCP statement that denies "*" when the ec2:RoleDelivery condition key value is less than two. Attach the SCP to the root of the organization.
Create a new SCP statement that denies when the ec2:MetadataHttpTokens condition key value is not equal to required. Attach the SCP to the root of the organization.
ユーザの投票
コメント(4)
- 正解だと思う選択肢: D
I think it's D. It must indeed use the ec2:MetadataHttpTokens condition key, but if we only deny the ec2:RunInstances, then the already running EC2 instances can still do AWS API calls. Even if they are not using IMDSv2.
👍 5Impromptu2024/11/24 - 正解だと思う選択肢: D
Going for D, as A just enforce that the new EC2 instances to use IMDSv2 but there can be old instances not running IDMSv2 that can still do API calls...
👍 5teo21572024/12/19 - 正解だと思う選択肢: A
Option A provides the correct solution by using the ec2:MetadataHttpTokens condition key in an SCP to deny the ec2:RunInstances action for instances that do not have IMDSv2 enabled. This is the most effective way to ensure compliance with the company’s requirement.
👍 3uncledana2024/11/19
シャッフルモード