Certified Security - Specialty

Sign Up Free or Log In to participate!

Question security speciality

Hi can you help me for this one some people says A some others C 

A Security Administrator at a university is configuring a fleet of Amazon EC2 instances. The EC2 instances are shared among students, and non-root SSH access is allowed. The Administrator is concerned about students attacking other AWS account resources by using the EC2 instance metadata service.

What can the Administrator do to protect against this potential attack?

A. Disable the EC2 instance metadata service.

B. Log all student SSH interactive session activity.

C. Implement ip tables-based restrictions on the instances.

D. Install the Amazon Inspector agent on the instances.

1 Answers

The ip tables-based restrictions are just going to be used to block access to the meta data service, i.e. block If a student is able to elevate their privileges on the machine then they can bypass / change the ip tables rules and access the meta data service. Turning off the EC2 instance meta data service is much more reliable as nothing the student can do from the EC2 instance can grant them access to the credentials.

i.e. Answer A makes much sense and is more robust than answer C. In these types of exams, it’s better to think about which control would be more effective. Disabling the meta data service is also more simple than doing the IP Tables restrictions.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?