ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 65 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 65
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

A startup company hosts a fleet of Amazon EC2 instances in private subnets using the latest Amazon Linux 2 AMI. The company’s engineers rely heavily on SSH access to the instances for troubleshooting.

The company’s existing architecture includes the following:

• A VPC with private and public subnets, and a NAT gateway.
• Site-to-Site VPN for connectivity with the on-premises environment.
• EC2 security groups with direct SSH access from the on-premises environment.

The company needs to increase security controls around SSH access and provide auditing of commands run by the engineers.

Which strategy should a solutions architect use?

  • A. Install and configure EC2 Instance Connect on the fleet of EC2 instances. Remove all security group rules attached to EC2 instances that allow inbound TCP on port 22. Advise the engineers to remotely access the instances by using the EC2 Instance Connect CLI.
  • B. Update the EC2 security groups to only allow inbound TCP on port 22 to the IP addresses of the engineer’s devices. Install the Amazon CloudWatch agent on all EC2 instances and send operating system audit logs to CloudWatch Logs.
  • C. Update the EC2 security groups to only allow inbound TCP on port 22 to the IP addresses of the engineer’s devices. Enable AWS Config for EC2 security group resource changes. Enable AWS Firewall Manager and apply a security group policy that automatically remediates changes to rules.
  • D. Create an IAM role with the AmazonSSMManagedInstanceCore managed policy attached. Attach the IAM role to all the EC2 instances. Remove all security group rules attached to the EC2 instances that allow inbound TCP on port 22. Have the engineers install the AWS Systems Manager Session Manager plugin for their devices and remotely access the instances by using the start-session API call from Systems Manager.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by masetromain at Jan. 14, 2023, 3:24 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
masetromain
Highly Voted 2 years, 5 months ago
Selected Answer: D
The correct answer is D. This strategy uses IAM roles and AWS Systems Manager to provide secure and auditable SSH access to the instances. The IAM role is attached to all the EC2 instances and has the AmazonSSMManagedInstanceCore managed policy attached, which allows the instances to be managed by Systems Manager. The engineers then install the AWS Systems Manager Session Manager plugin for their devices and remotely access the instances by using the start-session API call from Systems Manager. This approach provides secure and auditable access to the instances without the need for IP-based security group rules or additional infrastructure.
upvoted 20 times
masetromain
2 years, 5 months ago
Option A uses EC2 Instance Connect to provide secure and auditable SSH access to the instances, but it requires additional infrastructure and configuration. Option B provides auditing of commands run by the engineers, but it relies on IP-based security group rules, which can be difficult to manage and may not be as secure as using IAM roles. Option C uses AWS Config and Firewall Manager to automatically remediate changes to security group rules, but it still relies on IP-based security group rules and does not provide an auditable method of access to the instances.
upvoted 4 times
masetromain
2 years, 5 months ago
For option A to work, the following additional infrastructure and configuration would be required: The EC2 Instance Connect service needs to be enabled in the AWS account and the appropriate IAM permissions would need to be granted to the engineers. The EC2 instances would need to have the EC2 Instance Connect agent installed and configured. The engineers would need to install the EC2 Instance Connect CLI on their devices and have the necessary credentials to authenticate with AWS. In addition, the company would need to update their processes and procedures to ensure that engineers are only using EC2 Instance Connect to access the instances and that all access is being logged and audited.
upvoted 4 times
adrian202
1 year, 6 months ago
The key factor is that Option A explains to remove the port 22 inbound SSH access security group, they would need to keep that present: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-connect-prerequisites.html
upvoted 3 times
...
...
...
...
God_Is_Love
Highly Voted 2 years, 4 months ago
Selected Answer: D
A is wrong because Instance connect does not provided auditing B is wrong because it mentions OS audit logs. we need to audit SSH trafic C is wrong because we want to audit not remediate as asked in question. config service is to record using predefined rules and remediate as well D is correct because, By attaching the AmazonSSMManagedInstanceCore policy to an IAM role, EC2 instances can be controlled and monitored through the Systems Manager service, enabling capabilities such as remote instance management, patching, and compliance reporting. (ChatGPT response its answers are brief and helpful sometimes)
upvoted 11 times
kgpoj
9 months, 4 weeks ago
The explanation for A is wrong. AWS EC2 Instance Connect does support auditing.
upvoted 1 times
...
...
amministrazione
Most Recent 10 months ago
D. Create an IAM role with the AmazonSSMManagedInstanceCore managed policy attached. Attach the IAM role to all the EC2 instances. Remove all security group rules attached to the EC2 instances that allow inbound TCP on port 22. Have the engineers install the AWS Systems Manager Session Manager plugin for their devices and remotely access the instances by using the start-session API call from Systems Manager.
upvoted 1 times
...
gofavad926
1 year, 3 months ago
Selected Answer: D
D, use SSM
upvoted 1 times
...
8608f25
1 year, 4 months ago
Selected Answer: D
Option D is the best strategy because it leverages AWS Systems Manager Session Manager, which allows for secure instance management without the need for SSH access. By attaching an IAM role with the AmazonSSMManagedInstanceCore policy to EC2 instances, engineers can use Session Manager for shell access to instances without needing to open port 22, significantly enhancing security. Session Manager also automatically logs session activity to S3 or CloudWatch Logs, providing the required command auditing capability. This eliminates the need for direct SSH access and offers a centralized, secure, and audited method for engineers to access and run commands on instances.
upvoted 2 times
...
rioisverycute
1 year, 6 months ago
Selected Answer: B
It required to increase security around ssh access, why so many people voted on D?
upvoted 1 times
djeong95
1 year, 4 months ago
Cloudwatch agent does not provide auditable logs for SSH sessions; it only provides metrics about CPU/Memory/Network Packets/etc; nothing about what user started session at what time and ran certain trackable API calls while in that session.
upvoted 1 times
...
...
Chung234
1 year, 8 months ago
The answer is D. Option A is wrong because EC2 Instance Connect requires the host security group to permit SSH traffic inbound. https://repost.aws/questions/QUnV4R9EoeSdW0GT3cKBUR7w/what-is-the-difference-between-ec2-instance-connect-and-session-manager-ssh-connections
upvoted 2 times
...
NikkyDicky
1 year, 12 months ago
Selected Answer: D
It's D
upvoted 1 times
...
SkyZeroZx
2 years ago
Selected Answer: D
keyword = AWS Systems Manager Session Manager then D
upvoted 1 times
...
mfsec
2 years, 3 months ago
Selected Answer: D
D for sure.
upvoted 2 times
...
Ajani
2 years, 3 months ago
Why its NOT A To connect using the Amazon EC2 console, the instance must have a public IPv4 address. If the instance does not have a public IP address, you can connect to the instance over a private network using an SSH client or the EC2 Instance Connect CLI. For example, you can connect from within the same VPC or through a VPN connection, transit gateway, or AWS Direct Connect. EC2 Instance Connect does not support connecting using an IPv6 address. going with D:
upvoted 2 times
...
lygf
2 years, 4 months ago
Selected Answer: D
Need to be able to audit the commands ran on the machine.
upvoted 2 times
...
DWsk
2 years, 4 months ago
I don't understand why it can't be A for this one. Why is AWS Systems Manager Session better than EC2 Instance Connect? They both require installing something on the instances.
upvoted 1 times
lygf
2 years, 4 months ago
Could option A audit the commands ran on the server, as required by the question? I knew D certainly can.
upvoted 1 times
...
anita_student
2 years, 3 months ago
For EC2 instance connect there are a few requirements: - instance has public IP (the instances in question are private) - you have port 22 open (A says remove port 22 inbound)
upvoted 4 times
...
...
moota
2 years, 4 months ago
Selected Answer: D
According to ChatGPT, Yes, AWS Systems Manager Session Manager can track the commands that are executed during a session. The session is recorded in the form of a log, which can be accessed and reviewed later. The log contains information such as the start time, end time, and the user who initiated the session, as well as a record of all the commands executed during the session, including their output and exit codes. This information can be useful for auditing purposes, troubleshooting, and compliance reporting.
upvoted 2 times
...
tinyflame
2 years, 4 months ago
Selected Answer: B
provide auditing of commands run by the engineers = B Only
upvoted 3 times
joefromnc
1 year, 10 months ago
Read docs you can audit command using SSM https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-logging.html
upvoted 1 times
rlf
1 year, 8 months ago
"In addition to providing information about current and completed sessions in the Systems Manager console, Session Manager provides you with the ability to audit session activity in your AWS account using AWS CloudTrail" https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-auditing.html https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-auditing.html
upvoted 1 times
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel