Q70 — AWS SCS-C02 Ch.1

Question 70 of 100 | ← Chapter 1

A company is migrating its Amazon EC2 based applications to use Instance Metadata Service Version 2 (IMDSv2). A security engineer needs to determine whether any of the EC2 instances are still using Instance Metadata Service Version 1 (IMDSv1). What should the security engineer do to conrm that the IMDSv1 endpoint is no longer being used?

Correct Answer: B. Create an Amazon CloudWatch dashboard. Verify that the EC2:MetadataNoToken metric is zero across all EC2 instances. Monitor the dashboard.

Explanation

IMDSv2要求使用令牌,而IMDSv1无需令牌。AWS提供CloudWatch指标`EC2:MetadataNoToken`统计实例发起的IMDSv1请求次数。检查该指标是否为零可确认是否完全迁移。选项B通过CloudWatch直接监控该指标,无需额外配置。选项A、D涉及自定义日志与脚本,不如原生指标直接。选项C错误,安全组无法控制本地实例元数据服务。来源:AWS文档中关于IMDS迁移的最佳实践部分。