AWS Certified Security – Specialty — Question 320

A company has installed a third-party application that is distributed on several Amazon EC2 instances and on-premises servers. Occasionally, the company’s IT team needs to use SSH to connect to each machine to perform software maintenance tasks. Outside these time slots, the machines must be completely isolated from the rest of the network. The company does not want to maintain any SSH keys. Additionally, the company wants to pay only for machine hours when there is an SSH connection.

Which solution will meet these requirements?

Answer options

• A. Create a bastion host with port forwarding to connect to the machines.
• B. Set up AWS Systems Manager Session Manager to allow temporary connections.
• C. Use AWS CloudShell to create serverless connections.
• D. Set up an interface VPC endpoint for each machine for private connection.

Correct answer: B

Explanation

AWS Systems Manager Session Manager provides secure, auditable instance management without the need to maintain open inbound ports, manage SSH keys, or run bastion hosts. It allows connections to both EC2 instances and on-premises servers (via the SSM Agent) for no additional charge beyond standard EC2/on-premises resources. Using a bastion host (Option A) or interface VPC endpoints (Option D) would introduce continuous, hourly infrastructure costs regardless of active SSH usage.