Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Amazon Exam SAA-C03 Topic 4 Question 26 Discussion

Actual exam question for Amazon's SAA-C03 exam
Question #: 26
Topic #: 4
[All SAA-C03 Questions]

A company's developers want a secure way to gain SSH access on the company's Amazon EC2 instances that run the latest version of Amazon Linux. The developers work remotely and in the corporate office.

The company wants to use AWS services as a part of the solution. The EC2 instances are hosted in a VPC private subnet and access the internet through a NAT gateway that is deployed in a public subnet.

What should a solutions architect do to meet these requirements MOST cost-effectively?

Show Suggested Answer Hide Answer
Suggested Answer: D

AWS Systems Manager Session Manager is a service that enables you to securely connect to your EC2 instances without using SSH keys or bastion hosts. You can use Session Manager to access your instances through the AWS Management Console, the AWS CLI, or the AWS SDKs. Session Manager uses IAM policies and roles to control who can access which instances. By attaching the AmazonSSMManagedlnstanceCore IAM policy to an IAM role that is associated with the EC2 instances, you grant the Session Manager service the necessary permissions to perform actions on your instances. You also need to attach another IAM policy to the developers' IAM users or roles that allows them to start sessions to the instances. Session Manager uses the AWS Systems Manager Agent (SSM Agent) that is installed by default on Amazon Linux 2 and other supported Linux distributions. Session Manager also encrypts all session data between your client and your instances, and streams session logs to Amazon S3, Amazon CloudWatch Logs, or both for auditing purposes. This solution is the most cost-effective, as it does not require any additional resources or services, such as bastion hosts, VPN connections, or NAT gateways. It also simplifies the security and management of SSH access, as it eliminates the need for SSH keys, port opening, or firewall rules.Reference:

What is AWS Systems Manager?

Setting up Session Manager

Getting started with Session Manager

Controlling access to Session Manager

Logging Session Manager activity


Contribute your Thoughts:

Rene
8 months ago
True, but with Option D, the developers would still need to be granted the AmazonSSMManagedlnstanceCore IAM policy, which could be a bit of a pain to manage. And what if the developers need to do some advanced troubleshooting that requires direct SSH access? The bastion host approach in Option C seems more flexible.
upvoted 0 times
...
Carole
8 months ago
I'm not so sure about Option C. Doesn't that mean the developers will have to go through an extra hop to access the EC2 instances? That could slow things down and be a bit of a hassle for them. Option D with AWS Systems Manager Session Manager seems like it could be more user-friendly.
upvoted 0 times
Buddy
7 months ago
Exactly, Option D seems like the most user-friendly and secure solution for SSH access to EC2 instances.
upvoted 0 times
...
Dorothea
8 months ago
And they can do it without the extra hop through a bastion host like Option C.
upvoted 0 times
...
Ashley
8 months ago
True, with Option D, developers can access EC2 instances without having to manage SSH keys.
upvoted 0 times
...
Cordie
8 months ago
That's a good point. Option D with AWS Systems Manager Session Manager could be more secure.
upvoted 0 times
...
Quentin
8 months ago
But won't granting ec2:CreateVpnConnection IAM permission to developers be a security risk?
upvoted 0 times
...
Markus
8 months ago
I think Option A might be the best choice. It allows developers to connect to EC2 instances directly.
upvoted 0 times
...
...
Fletcher
8 months ago
Haha, yeah, imagine if the developers tried to use Option A and accidentally created a VPN connection instead of using EC2 Instance Connect. That would be a real 'connect the dots' kind of moment.
upvoted 0 times
...
Willow
8 months ago
Good one! Although, to be fair, Option A does seem a bit overly complex for this use case. I think the best solution is still Option C - it's secure, cost-effective, and gives the developers the access they need without too much extra hassle.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77