AWS Certified SysOps Administrator – Associate — Question 334

A company is running workloads on premises and on AWS. A SysOps administrator needs to automate tasks across all servers on premises by using AWS services. The SysOps administrator must not install long-term credentials on the on-premises servers.

What should the SysOps administrator do to meet these requirements?

Answer options

• A. Create an IAM role and instance profile that include AWS Systems Manager permissions. Attach the role to the on-premises servers.
• B. Create a managed-instance activation in AWS Systems Manager. Install the Systems Manager Agent (SSM Agent) on the on-premises servers. Register the servers with the activation code and ID from the instance activation.
• C. Create an AWS managed IAM policy that includes the appropriate AWS Systems Manager permissions. Download the IAM policy to the on-premises servers.
• D. Create an IAM user and an access key. Log on to the on-premises servers and install the AWS CLI. Configure the access key in the AWS credentials file after the AWS CLI is successfully installed.

Correct answer: B

Explanation

AWS Systems Manager hybrid activations allow on-premises servers to be registered securely as managed instances using temporary credentials obtained via the SSM Agent and an activation code/ID. Option A is incorrect because IAM roles and instance profiles cannot be directly attached to on-premises physical servers. Options C and D are incorrect because they require downloading policies or storing long-term access keys on-premises, which violates the security requirement.