AWS EC2 Security

• IAM helps control whether users in the organization can perform a task using specific EC2 API actions and whether they can use specific AWS resources.
• Use IAM roles to prevent the need to share as well as manage, and rotate the security credentials that the applications use.
• Security groups act as a virtual firewall that controls the traffic to the EC2 instances. They can help specify rules that control the inbound traffic that’s allowed to reach the instances and the outbound traffic that’s allowed to leave the instance.
• Use AWS Systems Manager Session Manager to connect to the instance as it provides secure and auditable instance management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys.
• Use EC2 Instance Connect to connect to your instances using Secure Shell (SSH) without the need to share and manage SSH keys.
• Use EC2 Instance Connect Endpoint to connect securely to instances in private subnets without requiring a public IP address, Internet Gateway, or bastion host.
• Use AWS Systems Manager Run Command to automate common administrative tasks instead of opening inbound SSH ports and managing SSH keys.
• Use Systems Manager Patch Manager to automate the process of patching, installing security-related updates for both the operating system and applications.
• Use AWS Verified Access to provide secure, VPN-less, zero-trust access to EC2 instances over SSH, RDP, and other protocols.
• Enforce IMDSv2 (Instance Metadata Service Version 2) to add defense-in-depth against unauthorized metadata access using session-oriented token-based requests.

EC2 Key Pairs

• EC2 uses public-key cryptography to encrypt & decrypt login information
• Public-key cryptography uses a public key to encrypt a piece of data, such as a password, then the recipient uses the private key to decrypt the data.
• Public and private keys are known as a key pair.
• To log in to an EC2 instance, a key pair needs to be created and specified when the instance is launched, and the private key can be used to connect to the instance.
• Linux instances have no password, and the key pair is used for ssh log in
• For Windows instances, the key pair can be used to obtain the administrator password and then log in using RDP
• EC2 stores the public key only, and the private key resides with the user. EC2 doesn’t keep a copy of your private key
• Public key content (on Linux instances) is placed in an entry within ~/.ssh/authorized_keys at boot time and enables the user to securely access the instance without passwords
• Public key specified for an instance when launched is also available through its instance metadata http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
• EC2 Security Best Practice: Store the private keys in a secure place as anyone who possesses the private key can decrypt the login information
• Also, if the private key is lost, there is no way to recover the same.
  • For instance store, you cannot access the instance
  • For EBS-backed Linux instances, access can be regained.
    • EBS-backed instance can be stopped, its root volume detached and attached to another instance as a data volume
    • Modify the authorized_keys file, move the volume back to the original instance, and restart the instance
• Key pair associated with the instances can either be
  • Generated by EC2
    • EC2 supports RSA (2048-bit SSH-2) and ED25519 key pair types.
    • ED25519 keys are not supported for Windows instances.
    • Key pairs can be generated in PEM or PPK format.
  • Created separately (using third-party tools) and Imported into EC2
    • EC2 accepts RSA and ED25519 keys for import (does not accept DSA keys)
    • RSA supported lengths: 1024, 2048, and 4096
• Supports five thousand key pairs per region
• Key pair management features include viewing creation date and public key material for existing and new key pairs.
• Deleting a key pair only deletes the public key and does not impact the servers already launched with the key.
• Use AWS Systems Manager Session Manager to connect to the instance as it provides secure and auditable instance management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys.

EC2 Instance Connect

• EC2 Instance Connect provides a simple and secure way to connect to instances using SSH without the need to share and manage SSH keys.
• Generates a one-time-use SSH public key and pushes it to the instance metadata, where it remains available for 60 seconds.
• IAM policies control which users can access and connect to specific instances.
• All connection requests using EC2 Instance Connect are logged to AWS CloudTrail for auditing.
• Supports IPv6 connectivity (added Sep 2024), allowing connections to instances with IPv6 addresses.
• Available at no additional cost.

EC2 Instance Connect Endpoint

• EC2 Instance Connect Endpoint (EIC Endpoint), launched in June 2023, allows secure connectivity from the Internet to instances in private subnets.
• Eliminates the need for an Internet Gateway (IGW) in the VPC, a public IP address on the resource, a bastion host, or any agent to connect to instances.
• Supports SSH (Linux) and RDP (Windows) connectivity without public IP addresses.
• Uses IAM-based authentication to establish secure connections.
• Supports IPv6 connectivity (added Oct 2025) — EIC Endpoints can be configured as dual-stack or IPv6-only.
• IAM policies can restrict which instances users can connect to through the endpoint.
• Available at no additional cost.
• Replaces traditional bastion host architecture for many use cases, reducing operational overhead and attack surface.

EC2 Security Groups

• An EC2 instance, when launched, can be associated with one or more security groups, which acts as a virtual firewall that controls the traffic to that instance
• Security groups help specify rules that control the inbound traffic that’s allowed to reach the instances and the outbound traffic that’s allowed to leave the instance
• Security groups are associated with network interfaces. Changing an instance’s security groups changes the security groups associated with the primary network interface (eth0)
• An ENI can be associated with 5 security groups and with 60 inbound and 60 outbound rules per security group (120 total rules per security group)
• A single network interface cannot have more than 1000 combined rules from all attached Security Groups.
• Rules for a security group can be modified at any time; the new rules are automatically applied to all instances associated with the security group.
• All the rules from all associated security groups are evaluated to decide where to allow traffic to an instance
• Security Group features
  • For the VPC default security group, it allows all inbound traffic from other instances associated with the default security group
  • By default, VPC default security groups or newly created security groups allow all outbound traffic
  • Security group rules are always permissive; deny rules can’t be created
  • Rules can be added and removed any time.
  • Any modification to the rules are automatically applied to the instances associated with the security group after a short period, depending on the connection tracking for the traffic
  • Security groups are stateful — if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. For VPC security groups, this also means that responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules
  • If multiple rules are defined for the same protocol and port, the Most permissive rule is applied for e.g. for multiple rules for tcp and port 22 for specific IP and Everyone, everyone is granted access being the most permissive rule

Security Group VPC Associations (Oct 2024)

• Security groups can now be associated with multiple VPCs in the same account and AWS Region using Security Group VPC Associations.
• Enables enforcing consistent traffic filtering rules for workloads regardless of the VPC.
• Security groups can be shared with participant accounts using AWS Resource Access Manager (RAM) in shared VPC environments.
• Cannot share security groups that are in a default VPC.
• Eliminates the need to duplicate security group rules across multiple VPCs.

Security Group Referencing across Transit Gateway (Sep 2024)

• Security group referencing is now supported across VPCs connected by AWS Transit Gateway.
• Allows creating inbound security rules that reference security groups defined in other VPCs attached to a Transit Gateway within the same Region.
• Simplifies management and provides better security posture for TGW-based networks.
• Also supported across AWS Cloud WAN (Jun 2025) for cross-VPC connectivity.

Related Resources View (Feb 2026)

• The EC2 and VPC consoles now display a “Related resources” tab for security groups.
• Provides a consolidated view of all resources that depend on a specific security group.
• Eliminates the need to manually check multiple services before making security group configuration changes.

Connection Tracking

• Security groups are Stateful and they use Connection tracking to track information about traffic to and from the instance.
• This allows responses to inbound traffic to flow out of the instance regardless of outbound security group rules, and vice versa.
• Connection Tracking is maintained only if there is no explicit Outbound rule for an Inbound request (and vice versa)
• However, if there is an explicit Outbound rule for an Inbound request, the response traffic is allowed on the basis of the Outbound rule and not on the Tracking information
• Any existing flow of traffic, that is tracked, is not interrupted even if the rules for the security groups are changed. To ensure traffic is immediately interrupted, use NACL as they are stateless and therefore do not allow automatic response traffic.
• Also, If the instance (host A) initiates traffic to host B and uses a protocol other than TCP, UDP, or ICMP, the instance’s firewall only tracks the IP address and protocol number for the purpose of allowing response traffic from host B. If host B initiates traffic to your instance in a separate request within 600 seconds of the original request or response, your instance accepts it regardless of inbound security group rules, because it’s regarded as response traffic.
• Can be controlled by modifying the security group’s outbound rules to permit only certain types of outbound traffic or using NACL

Configurable Idle Timeouts (Nov 2023)

• Idle timeouts for connection tracking are now configurable on a per Elastic Network Interface (ENI) basis.
• Configurable timeout settings:
  • TCP Established: Min 60 seconds, Max 432,000 seconds (5 days). Default: 432,000 seconds (pre-Nitro v6) or 350 seconds (Nitro v6 instances).
  • UDP Stream: Min 60 seconds, Max 180 seconds. Default: 180 seconds.
  • UDP Unidirectional: Min 30 seconds, Max 60 seconds. Default: 30 seconds.
• Important (Jun 2025): Sixth-generation Nitro (Nitro v6) instances (c8, r8, etc.) changed the default TCP connection tracking idle timeout from 432,000 seconds (5 days) to 350 seconds. If a TCP connection remains idle for more than 350 seconds, the ENI evicts the session from its tracking table.
• Applications with long-lived idle connections on Nitro v6 instances should either configure keep-alive mechanisms or adjust the idle timeout setting.

Instance Metadata Service v2 (IMDSv2)

• IMDSv2 is an enhancement to the Instance Metadata Service that uses session-oriented token-based requests to add defense-in-depth against unauthorized metadata access.
• IMDSv2 requires a session token obtained via a PUT request before metadata can be retrieved, protecting against SSRF attacks and unauthorized access.
• Sessions can last up to six hours and tokens can only be used from the EC2 instance where the session began.
• Session token PUT requests are blocked if they contain an X-forwarded-for header (mitigates reverse proxy exploitation).
• IMDSv2 enforcement timeline:
  • Mar 2024: Account-level setting available to set IMDSv2 as default for all new instance launches.
  • Mid-2024: All newly released EC2 instance types require IMDSv2 only (IMDSv1 disabled).
  • AWS Console Quick Starts and other launch pathways default to IMDSv2.
• Methods to enforce IMDSv2:
  • Set account-level default using ModifyInstanceMetadataDefaults API
  • Set AMI-level property to require IMDSv2
  • Set instance metadata options during launch
  • Use declarative policies via AWS Organizations for multi-account, multi-region enforcement
• When IMDSv2 is required, IMDSv1 is disabled — applications relying on IMDSv1 will break.
• Default hop limit is set to 2 when IMDSv2 is required (supports containerized workloads).
• Best Practice: Enforce IMDSv2 across all instances to prevent credential theft via SSRF attacks

IAM with EC2

• IAM policy can be defined to allow or deny a user access to the EC2 resources and actions
• EC2 partially supports resource-level permissions. For some EC2 API actions, you cannot specify which resource a user is allowed to work with for that action; instead, you have to allow users to work with all resources for that action
• IAM allows to control only what actions a user can perform on the EC2 resources but cannot be used to grant access for users to be able to access or login to the instances

EC2 with IAM Role

• EC2 instances can be launched with IAM roles so that the applications can securely make API requests from your instances.
• IAM roles prevent the need to share as well as manage, rotate the security credentials that the applications use.
• IAM role can be added to an existing running EC2 instance.
• EC2 uses an instance profile as a container for an IAM role.
  • Creation of an IAM role using the console, creates an instance profile automatically and gives it the same name as the role it corresponds to.
  • When using the AWS CLI, API, or an AWS SDK to create a role, the role and instance profile needs to be created as separate actions, and they can be given different names.
  • One role per instance profile (this limit cannot be increased).
• To launch an instance with an IAM role, the name of its instance profile needs to be specified.
• An application on the instance can retrieve the security credentials provided by the role from the instance metadata item http://169.254.169.254/latest/meta-data/iam/security-credentials/role-name.
• Security credentials are temporary and are rotated automatically and new credentials are made available at least five minutes prior to the expiration of the old credentials.
• EC2 IAM role credentials are not subject to maximum session durations configured in the role.
• Best Practice: Always launch EC2 instance with IAM role instead of hardcoded credentials

AWS Verified Access

• AWS Verified Access provides secure, VPN-less access to corporate applications and resources using zero-trust principles (“never trust, always verify”).
• Evaluates each access request based on user identity and device health rather than network location.
• Supports fine-grained access policies using the Cedar policy language.
• Originally supported HTTP(S) applications only (GA April 2023).
• Non-HTTP(S) protocol support (GA Feb 2025): Extends zero-trust access to SSH, RDP, JDBC, ODBC, and other TCP protocols.
  • Eliminates the need for VPNs or bastion hosts for SSH/RDP access to EC2 instances.
  • Simplifies security operations by using a single solution for all application types.
• Integrates with third-party identity providers (IdPs) and device management solutions.
• All access requests are logged for auditing and compliance.
• Achieved FedRAMP High and Moderate authorization (Mar 2025).
• Can be combined with AWS Network Firewall for deep packet inspection.

EC2 Resiliency

• EC2 offers the following features to support your data resiliency:
  • Copying AMIs across Regions
  • Copying EBS snapshots across Regions
  • Automating EBS-backed AMIs using Data Lifecycle Manager
  • Automating EBS snapshots using Data Lifecycle Manager
  • Maintaining the health and availability of the fleet using EC2 Auto Scaling
  • Distributing incoming traffic across multiple instances in a single AZ or multiple AZs using Elastic Load Balancing
  • Using Recycle Bin to protect EBS snapshots, EBS-backed AMIs, and EBS Volumes from accidental deletion with configurable retention periods
  • Automatically deleting underlying EBS snapshots when deregistering AMIs (Jun 2025) to simplify cleanup

AWS Certification Exam Practice Questions

• Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
• AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
• AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
• Open to further feedback, discussion and correction.

1. You launch an Amazon EC2 instance without an assigned AWS identity and Access Management (IAM) role. Later, you decide that the instance should be running with an IAM role. Which action must you take in order to have a running Amazon EC2 instance with an IAM role assigned to it?
   1. Create an image of the instance, and register the image with an IAM role assigned and an Amazon EBS volume mapping.
   2. Create a new IAM role with the same permissions as an existing IAM role, and assign it to the running instance. (As per AWS latest enhancement, this is possible now)
   3. Create an image of the instance, add a new IAM role with the same permissions as the desired IAM role, and deregister the image with the new role assigned.
   4. Create an image of the instance, and use this image to launch a new instance with the desired IAM role assigned (This was correct before, as it was not possible to add an IAM role to an existing instance)
2. What does the following command do with respect to the Amazon EC2 security groups? ec2-revoke RevokeSecurityGroupIngress
   1. Removes one or more security groups from a rule.
   2. Removes one or more security groups from an Amazon EC2 instance.
   3. Removes one or more rules from a security group
   4. Removes a security group from our account.
3. Which of the following cannot be used in Amazon EC2 to control who has access to specific Amazon EC2 instances?
   1. Security Groups
   2. IAM System
   3. SSH keys
   4. Windows passwords
4. You must assign each server to at least _____ security group
   1. 3
   2. 2
   3. 4
   4. 1
5. A company is building software on AWS that requires access to various AWS services. Which configuration should be used to ensure that AWS credentials (i.e., Access Key ID/Secret Access Key combination) are not compromised?
   1. Enable Multi-Factor Authentication for your AWS root account.
   2. Assign an IAM role to the Amazon EC2 instance
   3. Store the AWS Access Key ID/Secret Access Key combination in software comments.
   4. Assign an IAM user to the Amazon EC2 Instance.
6. Which of the following items are required to allow an application deployed on an EC2 instance to write data to a DynamoDB table? Assume that no security keys are allowed to be stored on the EC2 instance. (Choose 2 answers)
   1. Create an IAM Role that allows write access to the DynamoDB table
   2. Add an IAM Role to a running EC2 instance. (As per AWS latest enhancement, this is possible now)
   3. Create an IAM User that allows write access to the DynamoDB table.
   4. Add an IAM User to a running EC2 instance.
   5. Launch an EC2 Instance with the IAM Role included in the launch configuration (This was correct before, as it was not possible to add an IAM role to an existing instance)
7. You have an application running on an EC2 Instance, which will allow users to download files from a private S3 bucket using a pre-assigned URL. Before generating the URL the application should verify the existence of the file in S3. How should the application use AWS credentials to access the S3 bucket securely?
   1. Use the AWS account access Keys the application retrieves the credentials from the source code of the application.
   2. Create a IAM user for the application with permissions that allow list access to the S3 bucket launch the instance as the IAM user and retrieve the IAM user’s credentials from the EC2 instance user data.
   3. Create an IAM role for EC2 that allows list access to objects in the S3 bucket. Launch the instance with the role, and retrieve the role’s credentials from the EC2 Instance metadata
   4. Create an IAM user for the application with permissions that allow list access to the S3 bucket. The application retrieves the IAM user credentials from a temporary directory with permissions that allow read access only to the application user.
8. A user has created an application, which will be hosted on EC2. The application makes calls to DynamoDB to fetch certain data. The application is using the DynamoDB SDK to connect with from the EC2 instance. Which of the below mentioned statements is true with respect to the best practice for security in this scenario?
   1. The user should attach an IAM role with DynamoDB access to the EC2 instance
   2. The user should create an IAM user with DynamoDB access and use its credentials within the application to connect with DynamoDB
   3. The user should create an IAM role, which has EC2 access so that it will allow deploying the application
   4. The user should create an IAM user with DynamoDB and EC2 access. Attach the user with the application so that it does not use the root account credentials
9. Your application is leveraging IAM Roles for EC2 for accessing object stored in S3. Which two of the following IAM policies control access to you S3 objects.
   1. An IAM trust policy allows the EC2 instance to assume an EC2 instance role.
   2. An IAM access policy allows the EC2 role to access S3 objects
   3. An IAM bucket policy allows the EC2 role to access S3 objects. (Bucket policy is defined with S3 and not with IAM)
   4. An IAM trust policy allows applications running on the EC2 instance to assume as EC2 role (Trust policy allows EC2 instance to assume the role)
   5. An IAM trust policy allows applications running on the EC2 instance to access S3 objects. (Applications can access S3 through EC2 assuming the role)
10. You have an application running on an EC2 Instance, which will allow users to download files from a private S3 bucket using a pre-assigned URL. Before generating the URL the application should verify the existence of the file in S3. How should the application use AWS credentials to access the S3 bucket securely?
    1. Use the AWS account access Keys the application retrieves the credentials from the source code of the application.
    2. Create a IAM user for the application with permissions that allow list access to the S3 bucket launch the instance as the IAM user and retrieve the IAM user’s credentials from the EC2 instance user data.
    3. Create an IAM role for EC2 that allows list access to objects in the S3 bucket. Launch the instance with the role, and retrieve the role’s credentials from the EC2 Instance metadata
    4. Create an IAM user for the application with permissions that allow list access to the S3 bucket. The application retrieves the IAM user credentials from a temporary directory with permissions that allow read access only to the application user.

New Practice Questions

11. A company wants to provide secure SSH access to EC2 instances in private subnets without using bastion hosts, VPNs, or public IP addresses. Which AWS service should they use?
    1. AWS Direct Connect
    2. AWS Site-to-Site VPN
    3. EC2 Instance Connect Endpoint
    4. AWS PrivateLink
12. A security team wants to protect EC2 instances from credential theft through SSRF (Server-Side Request Forgery) attacks targeting the instance metadata service. Which approach should they implement?
    1. Disable the instance metadata service entirely
    2. Use security groups to block metadata access
    3. Enforce IMDSv2 which requires session tokens for metadata access
    4. Encrypt the metadata service endpoint
13. An organization uses multiple VPCs within the same account and region and wants to maintain consistent security group rules across all VPCs without duplication. Which feature should they use?
    1. VPC Peering with security group referencing
    2. Security Group VPC Associations
    3. AWS Network Firewall
    4. AWS Config rules
14. A company is migrating to sixth-generation Nitro (Nitro v6) EC2 instances and experiencing dropped TCP connections for long-running idle workloads. What is the most likely cause?
    1. Security group rules are being modified
    2. Network ACLs are timing out
    3. The default TCP connection tracking idle timeout changed from 432,000 seconds to 350 seconds on Nitro v6 instances
    4. The instance is being stopped by Auto Scaling
15. A company wants to implement zero-trust access for SSH and RDP connections to EC2 instances, evaluating user identity and device security posture for each request without requiring a VPN. Which AWS service provides this capability?
    1. EC2 Instance Connect Endpoint
    2. AWS Systems Manager Session Manager
    3. AWS Verified Access
    4. AWS Client VPN
16. Which of the following key pair types are supported for EC2 Linux instances? (Choose 2)
    1. DSA
    2. RSA
    3. ED25519
    4. ECDSA