AWS Certified SysOps Administrator – Associate — Question 462
A team of on-call engineers frequently needs to connect to Amazon EC2 instances in a private subnet to troubleshoot and run commands. The instances use either the latest AWS-provided Windows Amazon Machine Images (AMIs) or Amazon Linux AMIs.
The team has an existing 1AM role for authorization. A SysOps administrator must provide the team with access to the instances by granting IAM permissions to this role.
Which solution will meet this requirement?
Answer options
- A. Add a statement to the 1AM role policy to allow the ssm:StartSession action on the instances. Instruct the team to use AWS Systems Manager Session Manager to connect to the instances by using the assumed IAM role.
- B. Associate an Elastic IP address and a security group with each instance. Add the engineers' IP addresses to the security group inbound rules. Add a statement to the IAM role policy to allow the ec2:AuthorizeSecurityGrouplngress action so that the team can connect to the instances.
- C. Create a bastion host with an EC2 instance, and associate the bastion host with the VPC. Add a statement to the 1AM role policy to allow the ec2:CreateVpnConnection action on the bastion host. Instruct the team to use the bastion host endpoint to connect to the instances.
- D. Create an internet-facing Network Load Balancer. Use two listeners. Forward port 22 to a target group of Linux instances. Forward port 3389 to a target group of Windows instances. Add a statement to the IAM role policy to allow the ec2:CreateRoute action so that the team can connect to the instances.
Correct answer: A
Explanation
AWS Systems Manager Session Manager provides secure, one-click interactive node management without the need to expose inbound ports, maintain bastion hosts, or manage SSH keys. Since the instances are in a private subnet and use the latest AWS AMIs (which have the SSM Agent pre-installed), allowing the ssm:StartSession action in the IAM role policy is the most secure and efficient solution. The other options either compromise security by exposing private instances directly to the internet or introduce unnecessary architectural complexity.