exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 742 discussion

A company recently deployed a new application that runs on a group of Amazon EC2 Linux instances in a VPC. In a peered VPC, the company launched an EC2
Linux instance that serves as a bastion host. The security group of the application instances allows access only on TCP port 22 from the private IP of the bastion host. The security group of the bastion host allows access to TCP port 22 from 0.0.0.0/0 so that system administrators can use SSH to remotely log in to the application instances from several branch offices.
While looking through operating system logs on the bastion host, a cloud engineer notices thousands of failed SSH logins to the bastion host from locations around the world. The cloud engineer wants to change how remote access is granted to the application instances and wants to meet the following requirements:
✑ Eliminate brute-force SSH login attempts.
✑ Retain a log of commands run during an SSH session.
✑ Retain the ability to forward ports.
Which solution meets these requirements for remote access to the application instances?

  • A. Configure the application instances to communicate with AWS Systems Manager. Grant access to the system administrators to use Session Manager to establish a session with the application instances. Terminate the bastion host.
  • B. Update the security group of the bastion host to allow traffic from only the public IP addresses of the branch offices.
  • C. Configure an AWS Client VPN endpoint and provision each system administrator with a certificate to establish a VPN connection to the application VPC. Update the security group of the application instances to allow traffic from only the Client VPN IPv4 CIDR. Terminate the bastion host.
  • D. Configure the application instances to communicate with AWS Systems Manager. Grant access to the system administrators to issue commands to the application instances by using Systems Manager Run Command. Terminate the bastion host.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Jaypdv
Highly Voted 3 years, 2 months ago
A. "Session Manager removes the need to open inbound ports, manage SSH keys, or use bastion hosts" Ref: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html
upvoted 20 times
...
SJain50
Highly Voted 3 years, 1 month ago
B question says " Retain the ability to forward ports" - NAT gateway can not do this. Only NAT instance or bastian host is capable to do this.
upvoted 6 times
...
Jesuisleon
Most Recent 1 year, 6 months ago
Why D is not right ?
upvoted 1 times
vn_thanhtung
1 year, 3 months ago
Because use "Systems Manager Run Command"
upvoted 1 times
...
...
Shankar124
2 years, 5 months ago
A is correct: As its now also support port forwarding Ref: https://aws.amazon.com/about-aws/whats-new/2022/05/aws-systems-manager-support-port-forwarding-remote-hosts-using-session-manager/
upvoted 1 times
...
user89
2 years, 6 months ago
A. Session Manager logs the commands you enter and their output during a session depending on your session preferences. so it covers all requirement. https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-logging.html
upvoted 2 times
...
tartarus23
2 years, 7 months ago
Selected Answer: A
A. Session manager enables secure SSH Access, port forwarding, and logging of sesssions
upvoted 1 times
...
chatvinoth
2 years, 10 months ago
I go for A, as session manager also allows port forwarding - Refer below blog https://aws.amazon.com/blogs/aws/new-port-forwarding-using-aws-system-manager-sessions-manager/
upvoted 1 times
...
AzureDP900
2 years, 12 months ago
A right answer
upvoted 1 times
...
andylogan
3 years, 1 month ago
It's A
upvoted 1 times
...
tgv
3 years, 1 month ago
AAA --- Good job @ExtHo on sharing: Retain a log of commands run during an SSH session. https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-logging.html Retain the ability to forward ports. https://aws.amazon.com/blogs/aws/new-port-forwarding-using-aws-system-manager-sessions-manager/
upvoted 1 times
...
blackgamer
3 years, 1 month ago
A is the answer.
upvoted 1 times
...
sergioandreslq
3 years, 1 month ago
A: Incorrect: It is the most secure, However, it does not comply with requirement to: "Retain the ability to forward ports." B: Correct: It is the easy way just allowing SSH from offices, the SysAdmins will continue connecting in the same way they are doing today and Retain the ability to forward ports. C: Incorrect, It will work but the issue is the amount of work of the deployment for VPN.
upvoted 1 times
sergioandreslq
3 years, 1 month ago
changed From B to A. At the end, session manager is the most secure. I like the B because it is faster and easier, but exist the risk of brute force even from the on-premise network. So, the most secure is option A.
upvoted 2 times
...
...
Suresh108
3 years, 1 month ago
AAAAAAA
upvoted 1 times
...
Kopa
3 years, 1 month ago
Its A, Session Manager provides secure and auditable instance management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys. Session Manager also allows you to comply with corporate policies that require controlled access to instances, strict security practices, and fully auditable logs with instance access details, while still providing end users with simple one-click cross-platform access to your managed instances.
upvoted 2 times
...
WhyIronMan
3 years, 1 month ago
I'll go with A
upvoted 2 times
...
qurren
3 years, 1 month ago
https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-logging.html It says: "Logging isn't available for Session Manager sessions that connect through port forwarding or SSH. This is because SSH encrypts all session data, and Session Manager only serves as a tunnel for SSH connections." So A is not correct... I will choose B.
upvoted 2 times
...
hk436
3 years, 1 month ago
A is my answer!! Session Manager logs the commands you enter and their output during a session depending on your session preferences. To prevent sensitive data, such as passwords, from being viewed in your session logs we recommend using the following commands when entering sensitive data during a session. https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-logging.html
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...