What should the security engineer do to confirm that the IMDSv1 endpoint is no longer being used?
Configure logging on the Amazon CloudWatch agent for IMDSv1 as part of EC2 instance startup. Create a metric filter and a CloudWatch dashboard. Track the metric in the dashboard.
Create an Amazon CloudWatch dashboard. Verify that the EC2:MetadataNoToken metric is zero across all EC2 instances. Monitor the dashboard.
Create a security group that blocks access to HTTP for the IMDSv1 endpoint. Attach the security group to all EC2 instances.
Configure user data scripts for all EC2 instances to send logging information to AWS CloudTrail when IMDSv1 is used. Create a metric filter and an Amazon CloudWatch dashboard. Track the metric in the dashboard.
Explanations:
Configuring logging on the CloudWatch agent for IMDSv1 would not effectively track or confirm the usage of IMDSv1, as it relies on the instances’ initialization and may not provide real-time monitoring or direct confirmation of access to the IMDSv1 endpoint.
The EC2metric measures the number of requests to the metadata service that do not include a token. If this metric is consistently zero across all instances, it confirms that no instance is using IMDSv1, which relies on requests without a token.
Blocking access to the IMDSv1 endpoint using a security group could lead to application failures if any instance relies on IMDSv1. This method does not confirm whether IMDSv1 was previously used, as it only prevents access rather than monitoring it.
While configuring user data scripts to log information when IMDSv1 is accessed may provide some tracking capability, it is not a standard approach for confirming current usage of IMDSv1 and relies on the instances to be restarted or re-initialized with the user data scripts to capture the logs.
I scheme that the answer is:
Create an Amazon CloudWatch dashboard. Verify that the EC2:MetadataNoToken metric is zero across all EC2 instances. Monitor the dashboard.