An EC2 instance can query its instance metadata service to get information about itself. Which of the following types of data can it retrieve?
Think about what information is specific to the instance itself and what would be sensitive or unrelated.
The instance metadata service provides information about the instance such as its ID, IP addresses, and security groups. It does not provide access to account-wide sensitive data like root keys or billing info.
You want to run a script automatically when your EC2 instance starts. How should you provide this script using user data?
User data is designed to run commands or scripts at instance boot time.
User data is passed as plain text or base64-encoded text during instance launch. The instance reads and executes it on first boot. Uploading to S3 or attaching files after launch is not how user data works.
IMDSv1 allows EC2 instances to access metadata via HTTP requests. What is a known security risk of using IMDSv1 compared to IMDSv2?
Consider how metadata is accessed and what an attacker might exploit.
IMDSv1 uses simple HTTP GET requests without session tokens, making it vulnerable to Server-Side Request Forgery (SSRF) attacks. IMDSv2 adds session tokens to mitigate this risk.
You want your EC2 instance to access database credentials securely without embedding them in user data. Which approach is best?
Think about AWS services designed for secret management and secure access.
Assigning an IAM role to the instance allows it to securely retrieve secrets from AWS Secrets Manager without exposing them in user data or AMIs. Base64 encoding is not encryption and is insecure.
You want to ensure all EC2 instances in your environment use IMDSv2 only, disabling IMDSv1. How can you enforce this?
Look for instance metadata options that control IMDS versions.
EC2 allows configuring metadata options to require IMDSv2 and disable IMDSv1. This is the recommended best practice to protect against SSRF and other attacks.