A company's organization in AWS Organizations has a single OU. The company runs Amazon EC2 instances in the OU accounts. The company needs to limit the use of each EC2 instance’s credentials to the specific EC2 instance that the credential is assigned to. A DevOps engineer must configure security for the EC2 instances.
Which solution will meet these requirements?
To ensure that each EC2 instance's credentials are strictly limited to its assigned instance, a Service Control Policy (SCP) needs to enforce that credentials are used only within the specific context of their originating instance. Creating an SCP that checks whether the values of the aws:EC2InstanceSourceVPC and aws:SourceVpc condition keys are the same ensures that the credentials are used within the same VPC. Additionally, the SCP must also check if the aws:EC2InstanceSourcePrivateIPv4 and aws:VpcSourceIp are the same to restrict usage to the instance's private IP. This approach directly ties the use of credentials to the specific EC2 instance and VPC, effectively meeting the security requirements.
B is correct: aws:EC2InstanceSourceVPC and aws:SourceVpc must be the same. Additionally, aws:EC2InstanceSourcePrivateIPv4 and aws:VpcSourceIp must be the same A: irrelevant C: <define a list of acceptable IP address values> is not correct D: <aws:EC2InstanceSourceVPC and aws:VpcSourceIp> is incorrect
Finally, I 've made it to the last one
B is the most appropriate solution: Option A introduces unnecessary complexity with multiple conditions and may not provide the intended restriction. Option C suggests creating an SCP with lists of acceptable values, but it might be challenging to maintain and is less straightforward. Option D has the same issues as option A, introducing complexity with multiple conditions.
B obviously : https://aws.amazon.com/blogs/security/how-to-use-policies-to-restrict-where-ec2-instance-credentials-can-be-used-from/
Answer: B - aws:EC2InstanceSourceVPC = aws:SourceVpc and aws:EC2InstanceSourcePrivateIPv4 = aws:VpcSourceIp https://aws.amazon.com/blogs/security/how-to-use-policies-to-restrict-where-ec2-instance-credentials-can-be-used-from/
Source: https://aws.amazon.com/fr/blogs/security/how-to-use-policies-to-restrict-where-ec2-instance-credentials-can-be-used-from/
B. checks whether the values of the aws:EC2InstanceSourceVPC and aws:SourceVpc condition keys are the same and Apply the SCP to the OU.
https://aws.amazon.com/fr/blogs/security/how-to-use-policies-to-restrict-where-ec2-instance-credentials-can-be-used-from/
NOT C,D: "Apply the SCP to each account in the organization" - SCPs apply to OUs, not accounts