Which of the following strategies will help prevent a similar situation in the future?

Your system recently experienced down time during the troubleshooting process. You found that a new
administrator mistakenly terminated several production EC2 instances.
Which of the following strategies will help prevent a similar situation in the future?
The administrator still must be able to:
– launch, start stop, and terminate development resources.
– launch and start production instances.

Your system recently experienced down time during the troubleshooting process. You found that a new
administrator mistakenly terminated several production EC2 instances.
Which of the following strategies will help prevent a similar situation in the future?
The administrator still must be able to:
– launch, start stop, and terminate development resources.
– launch and start production instances.

A.
Create an IAM user, which is not allowed to terminate instances by leveraging production EC2 termination
protection.

B.
Leverage resource based tagging along with an IAM user, which can prevent specific users from terminating
production EC2 resources.

C.
Leverage EC2 termination protection and multi-factor authentication, which together require users to
authenticate before terminating EC2 instances

D.
Create an IAM user and apply an IAM role which prevents users from terminating production EC2 instances.



Leave a Reply 25

Your email address will not be published. Required fields are marked *


Manu

Manu

Thanks michjojo

Chef

Chef

Chef

To the extent that it’s practical, define the conditions under which your IAM policies allow access to a resource. For example, you can write conditions to specify a range of allowable IP addresses that a request must come from, or you can specify that a request is allowed only within a specified date range or time range. You can also set conditions that require the use of SSL or MFA (multifactor authentication). For example, you can require that a user has authenticated with an MFA device in order to be allowed to terminate an Amazon EC2 instance.

Senator

Senator

C is the best answer

Krishnan

Krishnan

By Choosing D, we loose the ability to terminate instance. Question is, how can the user/admin continue to start/stop servers. “C” seems to be the most appropriate solution here

Eric

Eric

I would go with B- for tagging.

Manish

Manish

Well the optioni B is just talking about tagging and not setting any actual restrictions or policies for not allowing to terminate the production EC2 instance. Tags don’t have any semantic meaning to Amazon EC2 and are interpreted strictly as a string of characters.

I would go with option D.

vladam

vladam

C is wrong because it does not disable user from terminating instances.
D is wrong because it does not differentiate between production and development instances.

B is the right answer, see here:
https://aws.amazon.com/blogs/security/resource-level-permissions-for-ec2-controlling-management-access-on-specific-instances/

bargom

bargom

It does make differentiation, saying “..from terminating production ec2 instances”

D

www.cloudthinker.de

www.cloudthinker.de

Means that the role cannot differentiate between prod and test.

mutiger91

mutiger91

The question was: “Which of the following strategies will help prevent a similar situation in the future?”. There is no requirement to prevent the administrator from terminating an instance. In fact, there are likely times you will want to terminate an instance as an administrator. The requirement was for no more accidental termination of instances. Termination protection would solve that. Therefore, I like C as a better answer.

265 questions in before I disagreed with one of your answers. You know your AWS.

Serdar SARIOGLU

Serdar SARIOGLU

vladam you re right answer is B

Kolambe

Kolambe

Answer is B

ddbullfrog

Homer

Homer

The blog link you provided is very helpful and informative. The best practice should be tagging and create tagging based policy.

None of the above is correct answer.

A. The new administrator can still ‘MISTAKENLY’ disable termination protection.
B. Tagging is the first step, should create policies and lock down tags, then attach policies to IAM users.
C. MFA cannot stop user from terminating a Dev instance, the question explicitly wants to take way permission to terminate Dev instances.
D. IAM role is designed to let applications securely make API requests from your instances, without requiring you to manage the security credentials that the applications use.

The solution should be 1. tagging, 2. create tagging based policies, 3. lock down tags, 4. attach policies to IAM user of the new administrator.

Naser

Naser

B should be the correct answer

A. EC2 termination protection is enabled on EC2 instance.

B. Identify production resources using tags and add explicit deny.

C. Still does not prevent user from terminating instance.

D. Role is not applied to User but assumed by the User also need a way to identify production EC2 instances.

Mir

Mir

B. Leverage resource based tagging along with an IAM user, which can prevent specific users from terminating production EC2 resources.

Quang

Quang

B

Should not create new IAM user and prod/dev marking is the most common usage of tagging