AWS Certified Security – Specialty — Question 309

A company does not allow the permanent installation of SSH keys onto an Amazon Linux 2 EC2 instance. However, three employees who have IAM user accounts require access to the EC2 instance. The employees must use an SSH session to perform critical duties.

How can a security engineer provide the appropriate access to the EC2 instance to meet these requirements?

Answer options

• A. Use AWS Systems Manager Inventory to select the EC2 instance and connect. Provide the IAM user accounts with the permissions to use Systems Manager Inventory.
• B. Use AWS Systems Manager Run Command to open an SSH connection to the EC2 instance. Provide the IAM user accounts with the permissions to use Run Command.
• C. Use AWS Systems Manager Session Manager. Provide the IAM user accounts with the permissions to use Systems Manager Session Manager.
• D. Connect to the EC2 instance as the ec2-user through the AWS Management Console’s EC2 SSH client method. Provide the IAM user accounts with access to use the EC2 service in the AWS Management Console.

Correct answer: C

Explanation

AWS Systems Manager Session Manager provides secure, interactive shell access to EC2 instances without the need to open inbound ports, maintain bastion hosts, or manage SSH keys. AWS Systems Manager Inventory is used for gathering software metadata, and Run Command is intended for executing non-interactive administrative scripts rather than establishing an interactive shell. The standard EC2 console SSH client method still relies on managing and using SSH keys, which violates the company's security policy.