Protecting Your AWS Production Environment: Restricting EC2 Instance Termination

Restricting EC2 Instance Termination in Your AWS Production Environment

Prev Question Next Question

Question

An employee unknowingly keeps terminating EC2 instances on the production environment.

You want to restrict the user from terminating the production instances or add an extra layer of defense before he tries to do that next time.

Which of the following options are suitable? (Select TWO.)

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer: A & D.

The key point to this question is the “extra layer of defence against terminating the instances”.

Option A is CORRECT because with tags you can explicitly deny an action.

Check the following example:

{

"Sid": "DenyDelete",

"Action": [

"ec2:TerminateInstances"

],

"Effect": "Deny",

"Resource": "*",

"Condition": {

"StringLikeIfExists": {

"ec2:ResourceTag/Production": "true"

}

}

}

From the article below:

“In some contexts, you may optionally choose to explicitly deny a group of users the ability to manage specific instances.

Explicit denial policies are not generally required since IAM is deny-all by default.

But the use of an explicit deny policy can provide an additional layer of protection since the presence of a deny statement will cause the user to be denied the ability to act even if another policy statement would have allowed it.”

For more information.

https://aws.amazon.com/blogs/security/resource-level-permissions-for-ec2-controlling-management-access-on-specific-instances/

Option B is incorrect.

While it starts correctly by tagging production instances, it does not use the production tag in the IAM policy.

Besides, the IAM policy should contain an explicit deny instead of an implicit deny.

Option C is incorrect because disabling MFA removes layers of protections rather than adds them.

Option D is CORRECT because it ensures that an AWS MFA device authenticates the user before the employee can delete objects (termination protection for instances)

The following condition can be added to the IAM policy:

"Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}

From the article below:

“You can also set conditions that require the use of SSL or MFA (multi-factor authentication)

For example, you can require that a user has authenticated with an MFA device in order to be allowed to terminate an Amazon EC2 instance.”

For more information.

https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#use-policy-conditions https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html#MFAProtectedAPI-resource-policies

The situation described in the question highlights the need to prevent an employee from terminating EC2 instances on the production environment. This can be accomplished by implementing additional security measures and access controls. Two possible solutions are discussed below:

Option A: Tagging instances with a production-identifying tag and adding resource-level permissions

This solution involves tagging all production instances with a unique identifier (e.g., "production") and then modifying the user's IAM policy to include an explicit deny statement for the terminate API call to instances with the production tag. This ensures that the employee user is not allowed to terminate production instances, but can still terminate non-production instances if necessary. This solution requires resource-level permissions to be added, which provide fine-grained control over specific resources, in this case, EC2 instances.

Option B: Tagging instances with a production-identifying tag and giving the IAM user an implicit deny

This solution involves tagging all production instances with a unique identifier and then modifying the user's IAM policy to include an implicit deny statement for the EC2 terminate API call for all EC2 instances. This ensures that the employee user is not allowed to terminate any EC2 instances, regardless of whether they are production or non-production.

Option C: Modifying the IAM policy to require MFA before deleting EC2 instances and disabling MFA access

This solution involves modifying the IAM policy on the user to require Multi-Factor Authentication (MFA) before deleting EC2 instances. Additionally, MFA access to the employee can be disabled to ensure that they are unable to perform the termination action. This solution is a general approach that can be applied to other AWS services and not just EC2 instances.

Option D: Authenticating with an MFA device to terminate an Amazon EC2 instance

This solution involves requiring the user to authenticate with an MFA device before they can terminate an Amazon EC2 instance. This can be done using IAM policies, which allow for granular access control. This solution provides an additional layer of defense against unauthorized termination of EC2 instances, but does not prevent the employee user from terminating non-production instances.

In summary, Option A and Option B are suitable solutions for preventing an employee from terminating production EC2 instances, while Option C and Option D are more general approaches that can be used to prevent unauthorized access to AWS services.