AWS Certified Solutions Architect – Associate (SAA-C03) — Question 721
A company’s developers want a secure way to gain SSH access on the company's Amazon EC2 instances that run the latest version of Amazon Linux. The developers work remotely and in the corporate office.
The company wants to use AWS services as a part of the solution. The EC2 instances are hosted in a VPC private subnet and access the internet through a NAT gateway that is deployed in a public subnet.
What should a solutions architect do to meet these requirements MOST cost-effectively?
Answer options
- A. Create a bastion host in the same subnet as the EC2 instances. Grant the ec2:CreateVpnConnection IAM permission to the developers. Install EC2 Instance Connect so that the developers can connect to the EC2 instances.
- B. Create an AWS Site-to-Site VPN connection between the corporate network and the VPC. Instruct the developers to use the Site-to-Site VPN connection to access the EC2 instances when the developers are on the corporate network. Instruct the developers to set up another VPN connection for access when they work remotely.
- C. Create a bastion host in the public subnet of the VPConfigure the security groups and SSH keys of the bastion host to only allow connections and SSH authentication from the developers’ corporate and remote networks. Instruct the developers to connect through the bastion host by using SSH to reach the EC2 instances.
- D. Attach the AmazonSSMManagedInstanceCore IAM policy to an IAM role that is associated with the EC2 instances. Instruct the developers to use AWS Systems Manager Session Manager to access the EC2 instances.
Correct answer: D
Explanation
AWS Systems Manager Session Manager provides secure, one-click interactive shell access to EC2 instances without needing to open inbound ports, manage SSH keys, or run bastion hosts, making it the most cost-effective and secure option. Since the instances run the latest version of Amazon Linux, the SSM Agent is pre-installed, requiring only the AmazonSSMManagedInstanceCore IAM policy to function. Other options involving bastion hosts or VPN connections introduce unnecessary management overhead, infrastructure costs, and security risks.