AWS Certified SysOps Administrator – Associate — Question 466

A SysOps administrator needs to control access to groups of Amazon EC2 instances using AWS Systems Manager Session Manager. Specific tags on the EC2 instances have already been added.
Which additional actions should the administrator take to control access? (Choose two.)

Answer options

• A. Attach an IAM policy to the users or groups that require access to the EC2 instances.
• B. Attach an IAM role to control access to the EC2 instances.
• C. Create a placement group for the EC2 instances and add a specific tag.
• D. Create a service account and attach it to the EC2 instances that need to be controlled.
• E. Create an IAM policy that grants access to any EC2 instances with a tag specified in the Condition element.

Correct answer: A, E

Explanation

To enforce tag-based access control via Session Manager, an IAM policy must be created with a Condition element that targets the specific EC2 instance tags, and this policy must then be attached to the IAM users or groups requiring access. Options B and D are incorrect because instance roles and service accounts do not govern user-level access permissions to those instances. Option C is incorrect because placement groups are used to influence the physical placement of instances for performance, not for access control.