AWS Certified Security – Specialty — Question 369

A company is using AWS Systems Manager Session Manager to manage Amazon EC2 instances. A user is unable to connect to a new EC2 instance that runs Amazon Linux 2 in a private subnet in a newly created VPC. The user confirms that the new EC2 instance has the correct IAM instance profile attached.

What is the MOST likely root cause of the user’s inability to connect?

Answer options

• A. The EC2 key pair on the instance is mismatched with the user’s key.
• B. The EC2 instance security group is missing SSH port 22 for inbound traffic.
• C. The EC2 instance is in a private VPC and is missing the ssmmessages endpoint.
• D. Amazon Linux 2 does not have Systems Manager Agent preinstalled.

Correct answer: C

Explanation

For Systems Manager Session Manager to connect to an EC2 instance in a private subnet without internet access, interface VPC endpoints (such as ssmmessages) must be configured to allow communication with the Systems Manager service. Options A and B are incorrect because Session Manager does not require open inbound ports (like SSH port 22) or key pairs to establish a connection. Option D is incorrect because Amazon Linux 2 includes the Systems Manager Agent preinstalled by default.