ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C03 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C03 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 319 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C03
Question #: 319
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C03 Questions]

A company has hundreds of Amazon EC2 Linux-based instances in the AWS Cloud. Systems administrators have used shared SSH keys to manage the instances. After a recent audit, the company’s security team is mandating the removal of all shared keys. A solutions architect must design a solution that provides secure access to the EC2 instances.

Which solution will meet this requirement with the LEAST amount of administrative overhead?

  • A. Use AWS Systems Manager Session Manager to connect to the EC2 instances.
  • B. Use AWS Security Token Service (AWS STS) to generate one-time SSH keys on demand.
  • C. Allow shared SSH access to a set of bastion instances. Configure all other instances to allow only SSH access from the bastion instances.
  • D. Use an Amazon Cognito custom authorizer to authenticate users. Invoke an AWS Lambda function to generate a temporary SSH key.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by VIad at Feb. 17, 2023, 1:56 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
VIad
Highly Voted 1 year, 7 months ago
Answer is A Using AWS Systems Manager Session Manager to connect to the EC2 instances is a secure option as it eliminates the need for inbound SSH ports and removes the requirement to manage SSH keys manually. It also provides a complete audit trail of user activity. This solution requires no additional software to be installed on the EC2 instances.
upvoted 11 times
...
pentium75
Highly Voted 9 months ago
Selected Answer: A
A - Systems Manager Session Manager has EXACTLY that purpose, 'providing secure access to EC2 instances' B - STS can generate temporary IAM credentials or access keys but NOT SSH keys C - Does not 'remove all shared keys' as requested D - Cognito is not meant for internal users, and whole setup is complex
upvoted 7 times
...
pentium75
Most Recent 9 months ago
Selected Answer: A
B - Querying is just a feature of Redshift but primarily it's a Data Warehouse - the question says nothing that historical data would have to be stored or accessed or analyzed
upvoted 2 times
...
Ruffyit
10 months, 3 weeks ago
The key reasons why: STS can generate short-lived credentials that provide temporary access to the EC2 instances for administering them. The credentials can be generated on-demand each time access is needed, eliminating the risks of using permanent shared SSH keys. No infrastructure like bastion hosts needs to be maintained. The on-premises administrators can use the familiar SSH tools with the temporary keys.
upvoted 2 times
...
TariqKipkemei
11 months, 3 weeks ago
Selected Answer: A
Session Manager provides secure and auditable node management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys.
upvoted 2 times
...
Guru4Cloud
1 year ago
Selected Answer: B
The key reasons why: STS can generate short-lived credentials that provide temporary access to the EC2 instances for administering them. The credentials can be generated on-demand each time access is needed, eliminating the risks of using permanent shared SSH keys. No infrastructure like bastion hosts needs to be maintained. The on-premises administrators can use the familiar SSH tools with the temporary keys.
upvoted 1 times
pentium75
9 months ago
STS provides temporary IAM credentials, not SSH keys
upvoted 3 times
...
...
Guru4Cloud
1 year ago
Selected Answer: B
Using AWS Security Token Service (AWS STS) to generate one-time SSH keys on demand is a secure and efficient way to provide access to the EC2 instances without the need for shared SSH keys. STS is a fully managed service that can be used to generate temporary security credentials, allowing systems administrators to connect to the EC2 instances without having to share SSH keys. The temporary credentials can be generated on demand, reducing the administrative overhead associated with managing SSH access
upvoted 2 times
ofinto
1 year ago
Can you please provide documentation about generating a one-time SSH with STS?
upvoted 2 times
...
...
kruasan
1 year, 5 months ago
Selected Answer: A
AWS Systems Manager Session Manager provides secure shell access to EC2 instances without the need for SSH keys. It meets the security requirement to remove shared SSH keys while minimizing administrative overhead.
upvoted 2 times
Guru4Cloud
1 year ago
If the systems administrators need to access the EC2 instances from an on-premises environment, using Session Manager may not be the ideal solution.
upvoted 1 times
...
kruasan
1 year, 5 months ago
Session Manager is a fully managed AWS Systems Manager capability. With Session Manager, you can manage your Amazon Elastic Compute Cloud (Amazon EC2) instances, edge devices, on-premises servers, and virtual machines (VMs). You can use either an interactive one-click browser-based shell or the AWS Command Line Interface (AWS CLI). Session Manager provides secure and auditable node management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys. Session Manager also allows you to comply with corporate policies that require controlled access to managed nodes, strict security practices, and fully auditable logs with node access details, while providing end users with simple one-click cross-platform access to your managed nodes. https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html
upvoted 3 times
kruasan
1 year, 5 months ago
Who should use Session Manager? Any AWS customer who wants to improve their security and audit posture, reduce operational overhead by centralizing access control on managed nodes, and reduce inbound node access. Information Security experts who want to monitor and track managed node access and activity, close down inbound ports on managed nodes, or allow connections to managed nodes that don't have a public IP address. Administrators who want to grant and revoke access from a single location, and who want to provide one solution to users for Linux, macOS, and Windows Server managed nodes. Users who want to connect to a managed node with just one click from the browser or AWS CLI without having to provide SSH keys.
upvoted 3 times
...
...
...
Stanislav4907
1 year, 6 months ago
Selected Answer: C
You guys seriously don't want to go to SMSM for Avery Single EC2. You have to create solution not used services for one time access. Bastion will give you option to manage 1000s EC2 machines from 1. Plus you can use Ansible from it.
upvoted 2 times
UnluckyDucky
1 year, 6 months ago
Session Manager is the best practice and recommended way by Amazon to manage your instances. Bastion hosts require remote access therefore exposing them to the internet. The most secure way is definitely session manager therefore answer A is correct imho.
upvoted 4 times
...
Zox42
1 year, 6 months ago
Question:" the company’s security team is mandating the removal of all shared keys", answer C can't be right because it says:"Allow shared SSH access to a set of bastion instances".
upvoted 7 times
...
...
Steve_4542636
1 year, 6 months ago
Selected Answer: A
I vote a
upvoted 2 times
...
LuckyAro
1 year, 7 months ago
Selected Answer: A
AWS Systems Manager Session Manager provides secure and auditable instance management without the need for any inbound connections or open ports. It allows you to manage your instances through an interactive one-click browser-based shell or through the AWS CLI. This means that you don't have to manage any SSH keys, and you don't have to worry about securing access to your instances as access is controlled through IAM policies.
upvoted 5 times
...
bdp123
1 year, 7 months ago
Selected Answer: A
https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html
upvoted 3 times
...
jahmad0730
1 year, 7 months ago
Selected Answer: A
Answer must be A
upvoted 3 times
...
jennyka76
1 year, 7 months ago
ANSWER - A AWS SESSION MANAGER IS CORRECT LEAST EFFORTS TO ACCESS LINUX SYSTEM IN AWS CONDOLE AND YOUR ARE ALREAADY LOGIN TO AWS. SO NO NEED FOR THE TOKEN OR OTHER STUFF DONE IN THE BACKGROUND BY AWS. MAKES SENESE.
upvoted 3 times
...
cloudbusting
1 year, 7 months ago
Answer is A
upvoted 4 times
...
zTopic
1 year, 7 months ago
Selected Answer: A
Answer is A
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago