AWS Certified DevOps Engineer – Professional — Question 16

A company plans to stop using Amazon EC2 key pairs for SSH access, and instead plans to use AWS Systems Manager Session Manager. To further enhance security, access to Session Manager must take place over a private network only.
Which combinations of actions will accomplish this? (Choose two.)

Answer options

• A. Allow inbound access to TCP port 22 in all associated EC2 security groups from the VPC CIDR range.
• B. Attach an IAM policy with the necessary Systems Manager permissions to the existing IAM instance profile.
• C. Create a VPC endpoint for Systems Manager in the desired Region.
• D. Deploy a new EC2 instance that will act as a bastion host to the rest of the EC2 instance fleet.
• E. Remove any default routes in the associated route tables.

Correct answer: B, C

Explanation

The correct answer is B and C because attaching an IAM policy with Systems Manager permissions is essential for allowing instances to interact with the service, and creating a VPC endpoint enables private connectivity to Systems Manager. Options A, D, and E do not enhance the security of Session Manager access over a private network as required.