AWS Certified Security - Specialty (#86)

A company had one of its Amazon EC2 key pairs compromised. A Security Engineer must identify which current Linux EC2 instances were deployed and used the compromised key pair. How can this task be accomplished?

Obtain the list of instances by directly querying Amazon EC2 using:
aws ec2 describe-instances --fi1ters "Name=key-name,Values=KEYNAMEHERE"
.
Obtain the fingerprint for the key pair from the AWS Management Console, then search for the fingerprint in the Amazon Inspector logs.
Obtain the output from the EC2 instance metadata using: curl http: //169.254.169.254/latest/meta-data/public- keys/0/.
Obtain the fingerprint for the key pair from the AWS Management Console, then search for the fingerprint in Amazon CloudWatch Logs using:
aws logs filter-log-events
.