AWS Certified Security – Specialty (SCS-C02) — Question 217

A company has an application on Amazon EC2 instances that store confidential customer data. The company must restrict access to customer data. A security engineer requires secure access to the instances that host the application. According to company policy, users must not open any inbound ports, maintain bastion hosts, or manage SSH keys for the EC2 instances.

The security engineer wants to monitor, store, and access all session activity logs. The logs must be encrypted.

Which solution will meet these requirements?

Answer options

• A. Use AWS Control Tower to connect to the EC2 instances. Configure Amazon CloudWatch logging for the sessions. Select the upload session logs option and allow only encrypted CloudWatch Logs log groups.
• B. Use AWS Security Hub to connect to the EC2 instances. Configure Amazon CloudWatch logging for the sessions. Select the upload session logs option and allow only encrypted CloudWatch Logs log groups.
• C. Use AWS Systems Manager Session Manager to connect to the EC2 instances. Configure Amazon CloudWatch monitoring to record the sessions. Select the store session logs option for the desired CloudWatch Logs log groups.
• D. Use AWS Systems Manager Session Manager to connect to the EC2 instances. Configure Amazon CloudWatch logging. Select the upload session logs option and allow only encrypted CloudWatch Logs log groups.

Correct answer: D

Explanation

The correct answer is D because AWS Systems Manager Session Manager allows secure access to EC2 instances without the need for inbound ports or SSH keys, while also supporting encrypted logging to Amazon CloudWatch. Options A and B incorrectly use AWS Control Tower and AWS Security Hub, which do not provide direct session management capabilities for EC2. Option C misstates the log storage method, as it does not specify the use of the upload option for session logs.