AWS Certified Solutions Architect – Associate (SAA-C02) — Question 521

A company wants to use AWS Systems Manager to manage a fleet of Amazon EC2 instances. According to the company's security requirements, no EC2 instances can have internet access. A solutions architect needs to design network connectivity from the EC2 instances to Systems Manager while fulfilling this security obligation.
Which solution will meet these requirements?

Answer options

• A. Deploy the EC2 instances into a private subnet with no route to the internet.
• B. Configure an interface VPC endpoint for Systems Manager. Update routes to use the endpoint.
• C. Deploy a NAT gateway into a public subnet. Configure private subnets with a default route to the NAT gateway.
• D. Deploy an internet gateway. Configure a network ACL to deny traffic to all destinations except Systems Manager.

Correct answer: B

Explanation

Configuring an interface VPC endpoint (AWS PrivateLink) allows the EC2 instances to connect privately to AWS Systems Manager without traversing the public internet, satisfying the strict no-internet security policy. Option A is incomplete because merely placing instances in a private subnet without an endpoint prevents them from communicating with Systems Manager altogether. Options C and D are incorrect because utilizing a NAT gateway or an internet gateway introduces internet connectivity paths, which violates the security requirement.