AWS Certified Security – Specialty — Question 401

A company wants to use AWS Systems Manager Patch Manager to patch Amazon EC2 instances that run Amazon Linux 2. The EC2 instances are running in a single AWS account. No internet connectivity is allowed from any EC2 instances in the account.

A security engineer has configured the relevant settings in Patch Manager. The security engineer now needs to ensure that the EC2 instances can connect to the Systems Manager endpoint.

Which combination of steps must the security engineer take to meet these requirements? (Choose three.)

Answer options

• A. Create a gateway VPC endpoint for com.amazonaws.[region].s3.
• B. Create VPC endpoints for com.amazonaws.[region].ec2messages and com.amazonaws.[region].ssm.
• C. Create a NAT gateway.
• D. Update the route tables to route Systems Manager traffic through the NAT gateway.
• E. Update the route tables with a route to the gateway VPC endpoint.
• F. Update the route tables to route the update traffic through the NAT gateway.

Correct answer: A, B, E

Explanation

To enable Systems Manager and Patch Manager functionality without internet access, interface VPC endpoints for SSM and EC2messages are required so the SSM Agent can communicate securely with AWS Systems Manager. Additionally, Amazon Linux 2 patching relies on Amazon S3 buckets to pull updates, necessitating a gateway VPC endpoint for S3 and an updated route table directing S3 traffic to this gateway. Since internet connectivity is explicitly forbidden, NAT gateways (which allow outbound internet access) are not appropriate solutions.