Free AWS DOP-C02 Actual Exam Questions - Question 9 Discussion
the use of Instance Metadata Service Version 2 (IMDSv2) on all EC2 instances in the AWS account. If
an EC2 instance does not prevent the use of Instance Metadata Service Version 1 (IMDSv1), the EC2
instance must be terminated.
Which solution will meet these requirements?
Probably A makes the most sense here since AWS Config rules continuously monitor all instances, not just new ones, so it can catch and remediate existing non-compliant instances by terminating them automatically.
Maybe D could work since it reacts right when an instance launches, checking the metadata version immediately. If it finds IMDSv1 is enabled, the Lambda can shut down that instance fast. That way, you catch non-compliant instances as soon as they come up. A relies on AWS Config which is good for ongoing compliance but might not catch things instantly at launch. Plus, D’s event-driven approach feels more direct for this kind of enforcement without needing extra setup like Systems Manager Automation. Just depends on how quickly you want to react after instance creation.
This one feels like A since AWS Config has managed rules for IMDSv2 enforcement and supports automated remediation. C with Inspector sounds like overkill and might not have direct remediation for metadata settings. D can’t inspect metadata on launch events itself, so it won’t catch the IMDS version issue properly. B only affects new launches, no termination once running, so it doesn’t fully meet the requirement. So, going with A makes sense here because it automates detection and termination cleanly.
Permissions boundaries don’t stop existing instances from running, so B won’t ensure instances using IMDSv1 get terminated. A or C is better for automatic enforcement after launch.
A/C? I know IMDSv2 enforcement is usually checked with AWS Config rules designed for this exact purpose, so A seems solid since it covers monitoring and automated remediation. C might work too but sounds more complicated and isn't as direct for this specific requirement. B and D feel off-permissions boundaries don’t really control instance metadata versions during launch, and checking metadata after launch via Lambda seems unreliable. So definitely putting my bet on A, since AWS Config is built for these policy enforcements.