Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 742 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 742
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A company recently deployed a new application that runs on a group of Amazon EC2 Linux instances in a VPC. In a peered VPC, the company launched an EC2
Linux instance that serves as a bastion host. The security group of the application instances allows access only on TCP port 22 from the private IP of the bastion host. The security group of the bastion host allows access to TCP port 22 from 0.0.0.0/0 so that system administrators can use SSH to remotely log in to the application instances from several branch offices.
While looking through operating system logs on the bastion host, a cloud engineer notices thousands of failed SSH logins to the bastion host from locations around the world. The cloud engineer wants to change how remote access is granted to the application instances and wants to meet the following requirements:
✑ Eliminate brute-force SSH login attempts.
✑ Retain a log of commands run during an SSH session.
✑ Retain the ability to forward ports.
Which solution meets these requirements for remote access to the application instances?

  • A. Configure the application instances to communicate with AWS Systems Manager. Grant access to the system administrators to use Session Manager to establish a session with the application instances. Terminate the bastion host.
  • B. Update the security group of the bastion host to allow traffic from only the public IP addresses of the branch offices.
  • C. Configure an AWS Client VPN endpoint and provision each system administrator with a certificate to establish a VPN connection to the application VPC. Update the security group of the application instances to allow traffic from only the Client VPN IPv4 CIDR. Terminate the bastion host.
  • D. Configure the application instances to communicate with AWS Systems Manager. Grant access to the system administrators to issue commands to the application instances by using Systems Manager Run Command. Terminate the bastion host.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by gsw at April 30, 2021, 3:10 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
Jaypdv
Highly Voted 3 years ago
A. "Session Manager removes the need to open inbound ports, manage SSH keys, or use bastion hosts" Ref: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html
upvoted 20 times
...
SJain50
Highly Voted 2 years, 11 months ago
B question says " Retain the ability to forward ports" - NAT gateway can not do this. Only NAT instance or bastian host is capable to do this.
upvoted 6 times
...
Jesuisleon
Most Recent 1 year, 4 months ago
Why D is not right ?
upvoted 1 times
vn_thanhtung
1 year, 1 month ago
Because use "Systems Manager Run Command"
upvoted 1 times
...
...
Shankar124
2 years, 3 months ago
A is correct: As its now also support port forwarding Ref: https://aws.amazon.com/about-aws/whats-new/2022/05/aws-systems-manager-support-port-forwarding-remote-hosts-using-session-manager/
upvoted 1 times
...
user89
2 years, 4 months ago
A. Session Manager logs the commands you enter and their output during a session depending on your session preferences. so it covers all requirement. https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-logging.html
upvoted 2 times
...
tartarus23
2 years, 5 months ago
Selected Answer: A
A. Session manager enables secure SSH Access, port forwarding, and logging of sesssions
upvoted 1 times
...
chatvinoth
2 years, 9 months ago
I go for A, as session manager also allows port forwarding - Refer below blog https://aws.amazon.com/blogs/aws/new-port-forwarding-using-aws-system-manager-sessions-manager/
upvoted 1 times
...
AzureDP900
2 years, 10 months ago
A right answer
upvoted 1 times
...
andylogan
2 years, 11 months ago
It's A
upvoted 1 times
...
tgv
2 years, 11 months ago
AAA --- Good job @ExtHo on sharing: Retain a log of commands run during an SSH session. https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-logging.html Retain the ability to forward ports. https://aws.amazon.com/blogs/aws/new-port-forwarding-using-aws-system-manager-sessions-manager/
upvoted 1 times
...
blackgamer
2 years, 11 months ago
A is the answer.
upvoted 1 times
...
sergioandreslq
2 years, 11 months ago
A: Incorrect: It is the most secure, However, it does not comply with requirement to: "Retain the ability to forward ports." B: Correct: It is the easy way just allowing SSH from offices, the SysAdmins will continue connecting in the same way they are doing today and Retain the ability to forward ports. C: Incorrect, It will work but the issue is the amount of work of the deployment for VPN.
upvoted 1 times
sergioandreslq
2 years, 11 months ago
changed From B to A. At the end, session manager is the most secure. I like the B because it is faster and easier, but exist the risk of brute force even from the on-premise network. So, the most secure is option A.
upvoted 2 times
...
...
Suresh108
2 years, 11 months ago
AAAAAAA
upvoted 1 times
...
Kopa
2 years, 11 months ago
Its A, Session Manager provides secure and auditable instance management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys. Session Manager also allows you to comply with corporate policies that require controlled access to instances, strict security practices, and fully auditable logs with instance access details, while still providing end users with simple one-click cross-platform access to your managed instances.
upvoted 2 times
...
WhyIronMan
2 years, 11 months ago
I'll go with A
upvoted 2 times
...
qurren
2 years, 11 months ago
https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-logging.html It says: "Logging isn't available for Session Manager sessions that connect through port forwarding or SSH. This is because SSH encrypts all session data, and Session Manager only serves as a tunnel for SSH connections." So A is not correct... I will choose B.
upvoted 2 times
...
hk436
2 years, 12 months ago
A is my answer!! Session Manager logs the commands you enter and their output during a session depending on your session preferences. To prevent sensitive data, such as passwords, from being viewed in your session logs we recommend using the following commands when entering sensitive data during a session. https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-logging.html
upvoted 2 times
...
Load full discussion...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel