AWS Certified Solutions Architect – Professional — Question 914

A company is migrating its applications to the AWS Cloud. Each application will reside in its own AWS account after the migration. The applications will be hosted on Amazon EC2 Linux instances that need to be accessed through the shell for administration. The company's administrators want to use the AWS CLI from their laptops to interact with AWS and the EC2 instances.
The company is concerned that SSH access keys might be lost or become public. The company wants to avoid using long-term keys.
Which combination of steps should a solutions architect recommend to meet these requirements? (Choose three.)

Answer options

• A. Create subaccounts and cross-account roles for each of the applications. Create users. Assign cross-account roles to the users. Provide users with their initial credentials. B Configure AWS Single Sign-On. Create users. Assign the users the permission sets for the application accounts that they need to access. Provide users with their initial credentials.
• B. Use AWS Systems Manager Session Manager to obtain shell access to the EC2 instances.
• C. Create an organization in AWS Organizations with all features enabled to manage the accounts. Create subaccounts to host each of the applications.
• D. Create an AWS Lambda function to rotate user access keys every 30 days.
• E. Create an AWS Lambda function to rotate SSH keys for the EC2 instances every 30 days.

Correct answer: B, C, D

Explanation

Option B is correct as AWS Single Sign-On allows for secure, temporary access to AWS resources without the need for long-term credentials. Option C is also essential because AWS Systems Manager Session Manager provides secure shell access to EC2 instances without using SSH keys. Option D is incorrect because rotating user access keys does not address the primary concern of SSH access and is not a required step in this scenario.