AWS Certified Solutions Architect – Associate (SAA-C02) — Question 609

A company runs demonstration environments for its customers on Amazon EC2 instances. Each environment is isolated in its own VPC. The company's operations team needs to be notified when RDP or SSH access to an environment has been established.
What should a solutions architect recommend to meet these requirements?

Answer options

• A. Configure Amazon CloudWatch Application Insights to create AWS Systems Manager OpsItems when RDP or SSH access is detected.
• B. Configure the EC2 instances with an IAM instance profile that has an IAM role with the AmazonSSMManagedInstanceCore policy attached.
• C. Publish VPC flow logs to Amazon CloudWatch Logs. Create required metric filters. Create an Amazon CloudWatch metric alarm with a notification action for when the alarm is in the ALARM state.
• D. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule to listen for events of type EC2 Instance State-change Notification. Configure an Amazon Simple Notification Service (Amazon SNS) topic as a target. Subscribe the operations team to the topic.

Correct answer: A

Explanation

Amazon CloudWatch Application Insights can monitor applications on Amazon EC2 instances and automatically detect successful RDP or SSH logon events, generating Systems Manager OpsItems to notify operations. Option B merely provides Systems Manager permissions but does not trigger notifications. Options C and D are incorrect because VPC flow logs only capture IP traffic without distinguishing successful OS-level sessions, and EC2 Instance State-change Notifications only monitor state changes like stopping or starting rather than user logins.