ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 208 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 208
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company wants to deploy an application in a private VPC that will not be connected to the internet. The company's security team will not allow bastion hosts or methods using SSH to log in to Amazon EC2 instances. The application team plans to use AWS Systems Manager Session Manager to connect to and manage the EC2 instances.
Which combination of steps should the security team take? (Choose three.)

  • A. Make sure the Systems Manager Agent is installed and running on all EC2 instances inside the VPC.
  • B. Ensure the IAM role attached to the EC2 instances in the VPC allows access to Systems Manager.
  • C. Create an SCP that prevents the creation of SSH key pairs.
  • D. Launch a NAT gateway in the VPC. Update the routing policies to forward traffic to this NAT gateway.
  • E. Ensure proper VPC endpoints are in place for Systems Manager and Amazon EC2.
  • F. Ensure the VPC has a transit gateway attachment. Update the routing policies to forward traffic to this transit gateway.
Show Suggested Answer Hide Answer
Suggested Answer: ABE 🗳️
by DayQuil at March 16, 2021, 7:01 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
DerekKey
Highly Voted 3 years, 3 months ago
A/B/E -> https://aws.amazon.com/blogs/mt/automated-configuration-of-session-manager-without-an-internet-gateway/
upvoted 18 times
ITGURU51
1 year, 9 months ago
Session Manager also provides secure and auditable instance management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys. This results in cost savings because it reduces management overhead, centralizes access control.
upvoted 1 times
...
sapien45
2 years, 6 months ago
Great Response, thanks for the link EC2 instances in the VPC need a route to Systems Manager, Session Manager Message Gateway Service, and Message Delivery Service. Without an internet gateway, this requires a VPC endpoint for each of the three required services (ssm, ssmmessages, and ec2messages). This solution works only in AWS Regions that offer these three VPC endpoints. Otherwise, you must use an internet gateway or select a different AWS Region. ABE
upvoted 2 times
...
...
eskimolander
Highly Voted 3 years, 3 months ago
A better reference to the answers: https://aws.amazon.com/es/premiumsupport/knowledge-center/ec2-systems-manager-vpc-endpoints/
upvoted 6 times
...
FlyingHawk
Most Recent 1 day, 14 hours ago
Selected Answer: ABE
A- https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html B- https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-permissions.html E- https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-create-vpc.html
upvoted 1 times
...
imymoco
3 months, 2 weeks ago
I mistakenly selected C. but SSH is no use in private subnet.
upvoted 1 times
...
Raphaello
11 months, 2 weeks ago
Selected Answer: ABE
ABE are correct. SSM agent installed on instances. Instance profiles allow access to SSM. VPC endpoint for SSM to ensure access remains within AWS
upvoted 1 times
...
vavofa5697
1 year, 9 months ago
anyone can elaborate why C is incorrect?
upvoted 2 times
anhtu133
1 year, 2 months ago
Because this is private VPC. You cant use SSH
upvoted 1 times
...
...
ITGURU51
1 year, 9 months ago
The answer is ABE install SSM agent VCP endpoints recommended IAM Role
upvoted 1 times
...
TigerInTheCloud
2 years, 9 months ago
Selected Answer: ABE
I did this kind of setup. It also requires a couple of other SSM related VPC endpoints, and if the SSM agent package is not included in the AMI, there is more work to do.
upvoted 3 times
...
Radhaghosh
3 years ago
A, B, E
upvoted 1 times
...
Hariru
3 years, 2 months ago
Selected Answer: ABE
A: You need the Agent on the EC2 Instance B: Role needs access E: Endpoints are necessary to enable access The others dont even make sense in my opinion.
upvoted 3 times
...
kiev
3 years, 3 months ago
ABE for sure
upvoted 2 times
...
Kastian
3 years, 3 months ago
My answer: ABC I don't understand this kind of bots that blindly copy paste the answer of a previous user as a correct answer confirmation. Can you please at least come with evidence why a specific option is correct or not ? Anyway, the question states: "The company's security team will not allow bastion hosts or methods using SSH to log in to Amazon EC2 instances." So how you prevent SSH connections with Transit Gateway attachment ? of course you could say that, well you will define a security group, routing that will block ssh connections, but why would you need in this case a TGW attachment ? So, I don't have a documentation proof, but for me more logic sounds option C instead of E.
upvoted 2 times
Kastian
3 years, 3 months ago
Ups, made a mistake! :)) After some research and based on following articles: https://aws.amazon.com/blogs/aws/new-session-manager/ https://aws.amazon.com/premiumsupport/knowledge-center/ec2-systems-manager-vpc-endpoints/ I do agree with : Answer ABE !
upvoted 1 times
...
...
sanjaym
3 years, 3 months ago
ABE 100%
upvoted 2 times
...
Hungdv
3 years, 4 months ago
A, B and E
upvoted 1 times
...
cldy
3 years, 4 months ago
A. B. E.
upvoted 2 times
...
[Removed]
3 years, 4 months ago
A, B, E -> 100%
upvoted 2 times
...
DayQuil
3 years, 4 months ago
A, B, and E. This VPC has NO internet access, so a NAT gateway isn't even needed.
upvoted 5 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago