Q55 — AWS DOP-C02 Ch.3

Question 55 of 100 | ← Chapter 3

A company uses AWS Organizations with the organizational feature enabled to centrally manage AWS accounts. Amazon EC2 instances run in AWS accounts. The company requires all current and future EC2 instances to use Instance Metadata Service version 2 (IMDSv2). The company must block AWS API calls originating from EC2 instances that do not use IMDSv2. Which solution meets these requirements?

Correct Answer: D. Create a new SCP statement that denies actions when the ec2:MetadataHttpTokens condition key value does not equal the required value. Attach the SCP to the organization root.

Explanation

This question involves AWS Organizations Service Control Policies (SCPs) to enforce IMDSv2 usage. According to AWS documentation, IMDSv2 enforcement is controlled via the `ec2:MetadataHttpTokens` condition key, where the value `required` enforces v2. A correct SCP must deny API calls that violate this condition. Option A restricts only `ec2:RunInstances`, but does not cover other APIs that could modify instance metadata settings (e.g., `ModifyInstanceMetadataOptions`). Option D applies the condition broadly across relevant API actions, ensuring consistent enforcement across all potential vectors—including creation and modification—aligning with AWS best practices. Options B and C reference condition keys unrelated to IMDSv2.