AWS Certified Security – Specialty (SCS-C02) — Question 190
A company wants to remove all SSH keys permanently from a specific subset of its Amazon Linux 2 Amazon EC2 instances that are using the same IAM instance profile. However, three individuals who have IAM user accounts will need to access these instances by using an SSH session to perform critical duties.
How can a security engineer provide the access to meet these requirements?
Answer options
- A. Assign an IAM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager. Provide the IAM user accounts with permission to use Systems Manager. Remove the SSH keys from the EC2 instances. Use Systems Manager Inventory to select the EC2 instance and connect.
- B. Assign an IAM policy to the IAM user accounts to provide permission to use AWS Systems Manager Run Command. Remove the SSH keys from the EC2 instances. Use Run Command to open an SSH connection to the EC2 instance.
- C. Assign an IAM policy to the instance profile to allow the EC2 instances to be managed by AWS Systems Manager. Provide the IAM user accounts with permission to use Systems Manager. Remove the SSH keys from the EC2 instances. Use Systems Manager Session Manager to select the EC2 instance and connect.
- D. Assign an IAM policy to the IAM user accounts to provide permission to use the EC2 service in the AWS Management Console. Remove the SSH keys from the EC2 instances. Connect to the EC2 instance as the ec2-user through the AWS Management Console’s EC2 SSH client method.
Correct answer: C
Explanation
The correct answer is C because it allows the instances to be managed by Systems Manager, enabling the IAM user accounts to connect securely without SSH keys using Session Manager. Option A incorrectly suggests using Systems Manager Inventory, which does not facilitate direct connection. Option B focuses on Run Command, which is not designed for interactive SSH sessions. Option D relies on the AWS Management Console, which does not align with the requirement to remove SSH keys.