exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 876 discussion

A research company is running daily simulations in the AWS Cloud to meet high demand. The simulations run on several hundred Amazon EC2 instances that are based on Amazon Linux 2. Occasionally, a simulation gets stuck and requires a cloud operations engineer to solve the problem by connecting to an EC2 instance through SSH.
Company policy states that no EC2 instance can use the same SSH key and that all connections must be logged in AWS CloudTrail.
How can a solutions architect meet these requirements?

  • A. Launch new EC2 instances, and generate an individual SSH key for each instance. Store the SSH key in AWS Secrets Manager. Create a new IAM policy, and attach it to the engineers' IAM role with an Allow statement for the GetSecretValue action. Instruct the engineers to fetch the SSH key from Secrets Manager when they connect through any SSH client.
  • B. Create an AWS Systems Manager document to run commands on EC2 instances to set a new unique SSH key. Create a new IAM policy, and attach it to the engineers' IAM role with an Allow statement to run Systems Manager documents. Instruct the engineers to run the document to set an SSH key and to connect through any SSH client.
  • C. Launch new EC2 instances without setting up any SSH key for the instances. Set up EC2 Instance Connect on each instance. Create a new IAM policy, and attach it to the engineers' IAM role with an Allow statement for the SendSSHPublicKey action. Instruct the engineers to connect to the instance by using a browser-based SSH client from the EC2 console.
  • D. Set up AWS Secrets Manager to store the EC2 SSH key. Create a new AWS Lambda function to create a new SSH key and to call AWS Systems Manager Session Manager to set the SSH key on the EC2 instance. Configure Secrets Manager to use the Lambda function for automatic rotation once daily. Instruct the engineers to fetch the SSH key from Secrets Manager when they connect through any SSH client.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
exam_asz
Highly Voted 2 years, 2 months ago
Selected Answer: C
https://aws.amazon.com/vi/blogs/compute/new-using-amazon-ec2-instance-connect-for-ssh-access-to-your-ec2-instances/
upvoted 10 times
...
DDONG
Highly Voted 2 years, 2 months ago
I think C
upvoted 5 times
...
hobokabobo
Most Recent 1 year, 8 months ago
Selected Answer: C
All that said: C seems to be what can be done. The user uploads the *public* key and the instance retrieves this public key. Yes one can do that but what the question asks for makes no sense at all.
upvoted 1 times
hobokabobo
1 year, 8 months ago
Actually: Instance gets its own Hostkey via Cloudinit. Its generated when the machine starts. Actually 4 of them with different algorithmns. No need to manage them. Besides that the instance is not assigned a key. Users have a private key. from the private key a public key can be generated and this *public* key is given away to the public. It can be stored in in any authorized_keys in a users home dir or retrieved from any public source that key is stored(its public - so no reason to to protect it in any way everyone can see it even the ec2).
upvoted 1 times
hobokabobo
1 year, 8 months ago
also: lookup AuthorizedKeysCommand in sshd.
upvoted 1 times
...
...
...
Heer
1 year, 10 months ago
One of the key benefits of Session Manager over EC2 Instance Connect is that it eliminates the need to manage SSH keys. Instead of using SSH keys to authenticate the connection, Session Manager uses IAM roles and policies to authenticate the user and provide them with the necessary permissions. This means that you don't have to worry about managing and rotating SSH keys, as Session Manager takes care of authentication and authorization for you.
upvoted 1 times
...
Heer
1 year, 10 months ago
Option B should be the right pick here , Output from ChatGBT : If your company policy states that no EC2 instances can use the same SSH key and that all connections must be logged in AWS CloudTrail, you can use AWS Systems Manager Session Manager to meet these requirements. Session Manager is a fully managed service that allows you to connect to your instances using the HTTPS protocol. It uses the AWS Identity and Access Management (IAM) service to authenticate the user and provide them with the necessary permissions to start a session. Session Manager provides a more secure and auditable way to connect to your instances, as it allows you to restrict who can start a session and what actions they can perform.
upvoted 2 times
...
exam_war
2 years, 1 month ago
Selected Answer: C
C is correct
upvoted 1 times
...
Kende
2 years, 1 month ago
Selected Answer: C
Requirement: "all connections must be logged in AWS CloudTrail." EC2 connect pushes the SSH connection logs to AWS Cloudtrail.
upvoted 1 times
...
sodasu
2 years, 1 month ago
Why not D?
upvoted 2 times
...
AwsBRFan
2 years, 1 month ago
Selected Answer: C
https://aws.amazon.com/vi/blogs/compute/new-using-amazon-ec2-instance-connect-for-ssh-access-to-your-ec2-instances/ Key Word "Cloud Trail"
upvoted 1 times
...
pixepe
2 years, 3 months ago
Both B & D needs attention. However, B is INCORRECT since there is no way to share SSH key with engineers. And without SSH key, how will engineer connect to EC2?
upvoted 1 times
pixepe
2 years, 2 months ago
Why Session Manager is better than EC2 instance connect - https://www.linkedin.com/pulse/ec2-connect-versus-ssm-session-manager-security-review-almbasher
upvoted 1 times
pixepe
2 years, 1 month ago
Correcting answer to EC2 instance connect (Option C); Session manager eliminates management of SSH keys; in question still there is management of key, though unique
upvoted 1 times
...
...
...
JoMainAWS
2 years, 3 months ago
definitely D
upvoted 1 times
...
Rocketeer
2 years, 3 months ago
I think D
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...