AWS Certified Solutions Architect – Associate (SAA-C03) — Question 891
A company has applications that run in an organization in AWS Organizations. The company outsources operational support of the applications. The company needs to provide access for the external support engineers without compromising security.
The external support engineers need access to the AWS Management Console. The external support engineers also need operating system access to the company’s fleet ofAmazon EC2 instances that run Amazon Linux in private subnets.
Which solution will meet these requirements MOST securely?
Answer options
- A. Confirm that AWS Systems Manager Agent (SSM Agent) is installed on all instances. Assign an instance profile with the necessary policy to connect to Systems Manager. Use AWS IAM Identity Center to provide the external support engineers console access. Use Systems Manager Session Manager to assign the required permissions.
- B. Confirm that AWS Systems Manager Agent (SSM Agent) is installed on all instances. Assign an instance profile with the necessary policy to connect to Systems Manager. Use Systems Manager Session Manager to provide local IAM user credentials in each AWS account to the external support engineers for console access.
- C. Confirm that all instances have a security group that allows SSH access only from the external support engineers’ source IP address ranges. Provide local IAM user credentials in each AWS account to the external support engineers for console access. Provide each external support engineer an SSH key pair to log in to the application instances.
- D. Create a bastion host in a public subnet. Set up the bastion host security group to allow access from only the external engineers’ IP address ranges. Ensure that all instances have a security group that allows SSH access from the bastion host. Provide each external support engineer an SSH key pair to log in to the application instances. Provide local account IAM user credentials to the engineers for console access.
Correct answer: A
Explanation
Option A is the most secure approach because AWS IAM Identity Center provides centralized, federated identity management across AWS Organizations, eliminating the risk of managing individual local IAM users. Utilizing AWS Systems Manager Session Manager allows secure OS-level access to instances in private subnets without opening inbound SSH ports, deploying bastion hosts, or managing SSH key pairs. The other options are less secure as they introduce administrative overhead and security risks associated with bastion hosts, exposed SSH ports, and local IAM credentials.