AWS Certified Solutions Architect – Professional — Question 311

A company has several Amazon EC2 instances to both public and private subnets within a VPC that is not connected to the corporate network. A security group associated with the EC2 instances allows the company to use the Windows remote desktop protocol (RDP) over the internet to access the instances. The security team has noticed connection attempts from unknown sources. The company wants to implement a more secure solution to access the EC2 instances.
Which strategy should a solutions architect implement?

Answer options

• A. Deploy a Linux bastion host on the corporate network that has access to all instances in the VPC.
• B. Deploy AWS Systems Manager Agent on the EC2 instances. Access the EC2 instances using Session Manager restricting access to users with permission.
• C. Deploy a Linux bastion host with an Elastic IP address in the public subnet. Allow access to the bastion host from 0.0.0.0/0.
• D. Establish a Site-to-Site VPN connecting the corporate network to the VPC. Update the security groups to allow access from the corporate network only.

Correct answer: B

Explanation

AWS Systems Manager Session Manager provides secure and audited instance management without the need to open inbound ports like RDP (port 3389) or maintain bastion hosts, which eliminates exposure to internet-based connection attempts. Option C is incorrect because leaving a bastion host open to 0.0.0.0/0 maintains a high security risk. Options A and D are incorrect or inefficient because the VPC does not have corporate connectivity, and setting up a Site-to-Site VPN solely for administration adds unnecessary complexity and cost compared to Session Manager.