AWS Certified SysOps Administrator – Associate (SOA-C03) — Question 26

A company wants to use AWS Systems Manager to manage a large fleet of Amazon EC2 instances. The company hosts the instances in private subnets. The company follows the principle of least privilege to assign access permissions. All private subnets have internet connectivity through a NAT gateway.
A CloudOps engineer installs the latest version of the Systems Manager Agent (SSM Agent). However, the EC2 instances do not appear in Systems Manager Fleet Manager. The CloudOps engineer must resolve this issue.
Which solution will meet this requirement?

Answer options

• A. Replace the NAT gateway with a NAT instance that is deployed in the public subnet. Update the private subnet's route table to use the NAT instance.
• B. Create a VPC endpoint for Systems Manager. Remove routes to the internet through the NAT gateway from the private subnet's route table.
• C. Attach the AmazonSSMManagedInstanceCore AWS managed policy to the EC2 instance profile that is associated with the instances.
• D. Attach a custom policy that allows all actions to ssm* to the EC2 instance profile that is associated with the instances.

Correct answer: C

Explanation

The correct answer is C because attaching the AmazonSSMManagedInstanceCore AWS managed policy provides the necessary permissions for the SSM Agent to communicate with Systems Manager. Options A and B do not address the permission issue, while option D grants excessive permissions, which violates the principle of least privilege.