Security Layer

What This Configuration Gets Right — and What It Does Not

The security posture in this lab is intentionally minimal but intentionally correct. Understanding both is important.

The /32 SSH rule is correct for a lab. In a team environment, the better pattern is a bastion host or AWS Systems Manager Session Manager, which eliminates inbound SSH entirely. With Session Manager, you connect to instances through the AWS API, the instance needs no public IP, and every session is logged to CloudWatch. That is the production standard for most teams — no port 22 open anywhere.

The IAM role with no policies is architecturally correct. The instance has an identity but no permissions. When you add permissions later, you add them to the role, not to a user account that outlives the instance.

IMDSv2 Enforcement

The metadata service at 169.254.169.254 that you used in the previous section has two versions. IMDSv1 is accessible with a simple GET request and has been the vector for several high-profile credential theft attacks — including the Capital One breach in 2019, which involved an SSRF vulnerability that allowed an attacker to query the metadata service and extract IAM credentials.

IMDSv2 requires a session-oriented token before returning any metadata. You can enforce IMDSv2 at launch time by setting “Metadata version” to “V2 only” in the Advanced details section, or after launch via the CLI:

aws ec2 modify-instance-metadata-options \
  --instance-id <your-instance-id> \
  --http-tokens required \
  --http-put-response-hop-limit 1

Setting http-put-response-hop-limit to 1 ensures the metadata token cannot be forwarded to another host — a critical control for containerized workloads where the hop limit would otherwise allow containers to reach the metadata service. For this lab, enforce IMDSv2 now as a practice habit.

EBS Volume Encryption

The default 8 GiB volume launched with this instance is not encrypted unless your account has default encryption enabled. At rest, unencrypted EBS volumes expose data if the underlying physical media is improperly decommissioned. In production, all volumes should be encrypted with a CMK (customer-managed key) in AWS KMS.

You can enable account-level default EBS encryption at EC2 > Settings > Data protection and security > Always encrypt new EBS volumes. Enabling this means every volume you create going forward will be encrypted with the AWS-managed default key, with no additional steps required.