ISC2 Certified Cloud Security Professional (CCSP) Practice Question
During an incident response, your team discovers that attackers exploited a server-side request forgery (SSRF) flaw in a public-facing EC2 web server. By sending crafted requests to http://169.254.169.254/latest/meta-data/, they obtained the instance's temporary AWS credentials and used them to access and exfiltrate sensitive data from S3. Which mitigation would most effectively prevent this attack path while still allowing legitimate applications on the instance to query the metadata service when needed?
Place the web server in a private subnet without an Internet gateway or public IP address.
Install a host-based intrusion detection system (HIDS) on the instance to alert on suspicious process behavior.
Enable server-side encryption with customer-managed keys (SSE-CMK) on all S3 buckets that store sensitive data.
Configure the EC2 instance to require Instance Metadata Service version 2 (IMDSv2) and block all IMDSv1 requests.
The attack relied on the older Instance Metadata Service v1 (IMDSv1), which accepts unauthenticated HTTP requests from any process that can reach the link-local address 169.254.169.254. By enabling IMDSv2 and disabling IMDSv1, the metadata service requires a session-oriented, time-bound token obtained through an initial PUT request that cannot be sent with a simple one-shot SSRF. This blocks unauthorized metadata queries originating from the vulnerable web application while preserving legitimate access for local processes. Moving the instance to a private subnet or removing its public IP reduces exposure but does not stop SSRF from reaching the metadata endpoint internally. Encrypting S3 data protects confidentiality at rest but does nothing to stop credential theft. A host-based IDS may detect some anomalies after the fact but does not eliminate the vulnerability path. Therefore, enforcing IMDSv2 and disabling IMDSv1 is the most effective preventive control.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the AWS Instance Metadata Service (IMDS)?
Open an interactive chat with Bash
How does IMDSv2 prevent SSRF (Server-Side Request Forgery) attacks?
Open an interactive chat with Bash
Why wouldn’t moving the instance to a private subnet or using other controls, like HIDS, completely prevent the attack?
Open an interactive chat with Bash
ISC2 Certified Cloud Security Professional (CCSP)
Cloud Platform & Infrastructure Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .