AWS Certified Security – Specialty (SCS-C02) — Question 295

A company has a large fleet of Amazon Linux 2 Amazon EC2 instances that run an application. The application processes sensitive data and has the following compliance requirements:

• No remote access management ports to the EC2 instances can be exposed internally or externally.
• All remote session activity must be recorded in an audit log.
• All remote access to the EC2 instances must be authenticated and authorized by AWS IAM Identity Center.

The company’s DevOps team occasionally needs to connect to one of the EC2 instances to troubleshoot issues.

Which solution will provide remote access to the EC2 instances while meeting the compliance requirements?

Answer options

• A. Grant access to the EC2 serial console at the account level. Create an IAM policy that allows an IAM role of the DevOps team to access the EC2 serial console.
• B. Enable EC2 instance Connect on the AMI of the EC2 instances. Configure the appropriate security group rules. Grant EC2 console access to the DevOps team for access to EC2 instance Connect.
• C. Assign an EC2 instance role that allows access to AWS Systems Manager. Create an IAM policy that grants access to Systems Manager Session Manager. Assign the policy to an IAM role of the DevOps team.
• D. Use AWS Systems Manager Automation runbooks to open remote access ports to the EC2 instances. Attach a role to the EC2 instances to allow the runbooks to run.

Correct answer: C

Explanation

AWS Systems Manager Session Manager allows secure instance management without opening inbound ports or managing SSH keys, fulfilling the requirement of keeping remote access ports closed. It integrates with AWS IAM Identity Center for authentication and authorization, and automatically logs session activity to Amazon S3 or Amazon CloudWatch for auditing. Other options, such as EC2 Instance Connect, require opening inbound ports (like port 22), which violates the compliance requirements.