exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 827 discussion

A startup company hosts a fleet of Amazon EC2 instances in private subnets using the latest Amazon Linux 2 AMI. The company's engineers rely heavily on SSH access to the instances for troubleshooting.
The company's existing architecture includes the following:
✑ A VPC with private and public subnets, and a NAT gateway
✑ Site-to-Site VPN for connectivity with the on-premises environment
✑ EC2 security groups with direct SSH access from the on-premises environment
The company needs to increase security controls around SSH access and provide auditing of commands run by the engineers.
Which strategy should a solutions architect use?

  • A. Install and configure EC2 Instance Connect on the fleet of EC2 instances. Remove all security group rules attached to EC2 instances that allow inbound TCP on port 22. Advise the engineers to remotely access the instances by using the EC2 Instance Connect CLI.
  • B. Update the EC2 security groups to only allow inbound TCP on port 22 to the IP addresses of the engineer's devices. Install the Amazon CloudWatch agent on all EC2 instances and send operating system audit logs to CloudWatch Logs.
  • C. Update the EC2 security groups to only allow inbound TCP on port 22 to the IP addresses of the engineer's devices. Enable AWS Config for EC2 security group resource changes. Enable AWS Firewall Manager and apply a security group policy that automatically remediates changes to rules.
  • D. Create an IAM role with the AmazonSSMManagedInstanceCore managed policy attached. Attach the IAM role to all the EC2 instances. Remove all security group rules attached to the EC2 instances that allow inbound TCP on port 22. Have the engineers install the AWS Systems Manager Session Manager plugin for their devices and remotely access the instances by using the start-session API call from Systems Manager.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
[Removed]
1 year, 9 months ago
Selected Answer: A
Its surely A, EC2 insatnce connect (via browser based console or via CLI) incldues logging in Cloudtrial :https://aws.amazon.com/blogs/compute/new-using-amazon-ec2-instance-connect-for-ssh-access-to-your-ec2-instances/
upvoted 1 times
[Removed]
1 year, 9 months ago
actually re-read the question, they remove the port 22 inbound so this would not work.. Session manager is the only option here. Chaning to D
upvoted 2 times
...
...
evargasbrz
1 year, 11 months ago
Selected Answer: D
D is the best option. https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html
upvoted 2 times
...
breathingcloud
2 years ago
Definitely D, we can rely on security group rules to whitelist because engineer count may increase is unknow and not practically possible to restrict with SG when we have more engineers
upvoted 2 times
...
mrgreatness
2 years ago
100% its D.
upvoted 1 times
...
SureNot
2 years ago
Selected Answer: B
Whats wrong with B? The simpliest solution
upvoted 1 times
...
alxjandroleiva
2 years, 1 month ago
Selected Answer: B
B is correct, D is do something that has not been asked of you and that may have more implications in other company processes
upvoted 1 times
...
sb333
2 years, 2 months ago
Selected Answer: D
Allows client machines to be able to connect to Session Manager using the AWS CLI instead of going through the AWS EC2 or AWS Server Manager console. https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html#:~:text=aws%20ssm%20start%2Dsession%20%2D%2Dtarget%20instance%2Did
upvoted 2 times
...
asfsdfsdf
2 years, 4 months ago
Selected Answer: D
D - audit is being done on SSM level no need for keys or SGs use SSM plugin or AWS CLI to allow connection. https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html
upvoted 2 times
...
bobsmith2000
2 years, 6 months ago
Selected Answer: D
D for sure
upvoted 2 times
...
shailurtm2001
2 years, 7 months ago
Answer is D
upvoted 4 times
user0001
2 years, 6 months ago
B is right , if you dont have something to back up your option dont answer it .there is nothing session manager you can install , it is already available on every server , and the question asking to use ssh not session manager
upvoted 1 times
Ddssssss
2 years, 5 months ago
https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html
upvoted 1 times
...
bobsmith2000
2 years, 6 months ago
B is the ancient bull shit. Never do this now.b Use Session Manager instead of bastions https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html
upvoted 3 times
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...