AWS Certified Security – Specialty — Question 176

A company wants to deploy an application in a private VPC that will not be connected to the internet. The company's security team will not allow bastion hosts or methods using SSH to log in to Amazon EC2 instances. The application team plans to use AWS Systems Manager Session Manager to connect to and manage the EC2 instances.
Which combination of steps should the security team take? (Choose three.)

Answer options

• A. Make sure the Systems Manager Agent is installed and running on all EC2 instances inside the VPC.
• B. Ensure the IAM role attached to the EC2 instances in the VPC allows access to Systems Manager.
• C. Create an SCP that prevents the creation of SSH key pairs.
• D. Launch a NAT gateway in the VPC. Update the routing policies to forward traffic to this NAT gateway.
• E. Ensure proper VPC endpoints are in place for Systems Manager and Amazon EC2.
• F. Ensure the VPC has a transit gateway attachment. Update the routing policies to forward traffic to this transit gateway.

Correct answer: A, B, E

Explanation

The correct steps include ensuring the Systems Manager Agent is installed and running (A), confirming the IAM role allows Systems Manager access (B), and setting up proper VPC endpoints for Systems Manager and EC2 (E). Options C, D, and F are not necessary for the operation of Session Manager, as they either restrict SSH access without relevant benefit or involve internet connectivity, which contradicts the requirement.