AWS Certified Security – Specialty — Question 467

A company is attempting to conduct forensic analysis on an Amazon EC2 instance, but the company is unable to connect to the instance by using AWS Systems Manager Session Manager. The company has installed AWS Systems Manager Agent (SSM Agent) on the EC2 instance.

The EC2 instance is in a subnet in a VPC that does not have an internet gateway attached. The company has associated a security group with the EC2 instance. The security group does not have inbound or outbound rules. The subnet's network ACL allows all inbound and outbound traffic.

Which combination of actions will allow the company to conduct forensic analysis on the EC2 instance without compromising forensic data? (Choose three.)

Answer options

• A. Update the EC2 instance security group to add a rule that allows outbound traffic on port 443 for 0.0.0.0/0.
• B. Update the EC2 instance security group to add a rule that allows inbound traffic on port 443 to the VPC's CIDR range.
• C. Create an EC2 key pair. Associate the key pair with the EC2 instance.
• D. Create a VPC interface endpoint for Systems Manager in the VPC where the EC2 instance is located.
• E. Attach a security group to the VPC interface endpoint. Allow inbound traffic on port 443 to the VPC's CIDR range.
• F. Create a VPC interface endpoint for the EC2 instance in the VPC where the EC2 instance is located.

Correct answer: A, D, E

Explanation

To enable AWS Systems Manager Session Manager in a private VPC without internet access, you must establish interface VPC endpoints (PrivateLink) for Systems Manager so the SSM Agent can communicate securely with the service. The SSM Agent initiates outbound connections to the endpoint on port 443, which requires the EC2 instance's security group to allow outbound traffic on port 443. Additionally, the VPC endpoint's security group must permit inbound traffic on port 443 from the VPC CIDR to accept the incoming connection from the EC2 instance.