Exam AWS Certified SysOps Administrator - Associate topic 1 question 103 discussion

A. Attach an IAM policy to the users or groups that require access to the EC2 instances: IAM policies can be used to control access to resources in AWS. The policy can specify which actions are allowed or denied and which resources the user or group can access. In this case, the policy should include permissions to use the Session Manager service. E. Create an IAM policy that grants access to any EC2 instances with a tag specified in the Condition element: This policy can specify that access is granted only to instances with specific tags. For example, a policy could specify that users or groups can only access instances that have a specific tag, such as "Environment=Prod". This helps to ensure that only the appropriate instances are accessed.

Simply remember: The IAM role attached to ec2 instances (B) allows the instances to interact with AWS services (Systems Manager) but doesn't control user access

Control access to smaller deployments of Amazon EC2 instances as follows: 1. Add a specific tag to the instances that you want to grant the users or groups access to. 2. Create an IAM policy that grants access to any instances with the specific tag. 3. Attach the IAM policy to the users or groups that you want to access the instances. Please refer to this link for more information - https://repost.aws/knowledge-center/iam-ec2-resource-tags

B and E

The question does not mention granting users access to anything. Here we only discuss the access from SSM to the instances, which is not enabled by default.

You would create an IAM policy that grants access to any EC2 instance with a tag specified I the condition element (E) and then you would attach that policy to the users or groups which require the access (A). I think B is wrong as you assume and IAM role, you don't attach it...

To achieve this for all the instances without considering tags you would create instance profile with a managed policy - "AmazonSSMManagedInstanceCore" and attach it to an instance. For instances with specified tags you must create your own conditional policy so SSM agent have access only to instances with particular tags.

A and E

AE is the correct answer !

I go for A and E, given that create a policy and attach a role does not solve the problem. You need to attach the policy you've created somewhere.

I think it is BE. Because "By default, AWS Systems Manager doesn't have permission to perform actions on your instances." https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-instance-profile.html So you need to grant Session Manager the permission to perform actions on your Amazon EC2 instances: https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-create-iam-instance-profile.html

A & E is a pair, can't be both

Could have been A, except you wouldn't attach a policy to a "users or a groups". That's too broad. Best practice is to use a group or a role, and not apply policies directly to a user.

The question is "A SysOps Administrator needs to control access __to__ groups of Amazon EC2 instances.", not the control access of EC2 instances (or from them), so B is not applicable here.

BE is the real answer 100%

"Condition": { "StringEquals": { "ec2:ResourceTag/TAG-KEY": "TAG-VALUE" } } https://repost.aws/knowledge-center/iam-policy-permission-ec2-tags-vpc

Q97: A team of on-call engineers frequently needs to connect to Amazon EC2 instances in a private subnet to troubleshoot and run commands. The instances use either the latest AWS-provided Windows Amazon Machine Images (AMIs) or Amazon Linux AMIs. The team has an existing 1AM role for authorization. A SysOps administrator must provide the team with access to the instances by granting IAM permissions to this role. Which solution will meet this requirement?" Correct answer: A. Add a statement to the 1AM role policy to allow the ssm:StartSession action on the instances. Instruct the team to use AWS Systems Manager Session Manager to connect to the instances by using the assumed IAM role." None of the other answers have antything to do with a policy for group or users. https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-restrict-access-examples.html#restrict-access-example-instance-tags I vote for "BE" because of policy example and I know role could work. I think wording in "A." is purposefully vague.