AWS Certified DevOps Engineer – Professional — Question 60
A DevOps engineer needs to grant several external contractors access to a legacy application that runs on an Amazon Linux Amazon EC2 instance. The application server is available only in a private subnet. The contractors are not authorized for VPN access.
What should the DevOps engineer do to grant the contactors access to the application server?
Answer options
- A. Create an IAM user and SSH keys for each contractor. Add the public SSH key to the application server's SSH authorized_keys file. Instruct the contractors to install the AWS CLI and AWS Systems Manager Session Manager plugin, update their AWS credentials files with their private keys, and use the aws ssm start-session command to gain access to the target application server instance ID.
- B. Ask each contractor to securely send their SSH public key. Add this public key to the application server's SSH authorized-keys file. Instruct the contractors to use their private key to connect to the application server through SSH.
- C. Ask each contractor to securely send their SSH public key. Use EC2 pairs to import their key. Update the application server's SSH authorized_keys file. Instruct the contractors to use their private key to connect to the application server through SSH.
- D. Create an IAM user for each contractor with programmatic access. Add each user to an IAM group that has a policy that allows the ssm:StartSession action. Instruct the contractors to install the AWS CLI and AWS Systems Manager Session Manager plugin, update their AWS credentials files with their access keys, and use the aws ssm start-session to gain access to the target application server instance ID.
Correct answer: D
Explanation
The correct answer, D, is appropriate because it utilizes AWS Systems Manager Session Manager for secure access without requiring VPN, which the contractors are not authorized to use. The other options (A, B, and C) either rely on direct SSH access, which is not feasible due to the private subnet restriction and the lack of VPN access, or do not implement the necessary IAM policies required for secure access.