AWS Certified Solutions Architect – Associate (SAA-C03) — Question 276

A company has hundreds of Amazon EC2 Linux-based instances in the AWS Cloud. Systems administrators have used shared SSH keys to manage the instances. After a recent audit, the company’s security team is mandating the removal of all shared keys. A solutions architect must design a solution that provides secure access to the EC2 instances.

Which solution will meet this requirement with the LEAST amount of administrative overhead?

Answer options

• A. Use AWS Systems Manager Session Manager to connect to the EC2 instances.
• B. Use AWS Security Token Service (AWS STS) to generate one-time SSH keys on demand.
• C. Allow shared SSH access to a set of bastion instances. Configure all other instances to allow only SSH access from the bastion instances.
• D. Use an Amazon Cognito custom authorizer to authenticate users. Invoke an AWS Lambda function to generate a temporary SSH key.

Correct answer: A

Explanation

AWS Systems Manager Session Manager provides secure, one-click interactive node management without the need to manage SSH keys, open inbound ports, or maintain bastion hosts, which minimizes administrative overhead. Options B and D require complex custom development to generate and manage temporary keys, increasing administrative effort. Option C is incorrect because using bastion hosts with shared SSH keys fails to meet the security mandate to eliminate shared keys.