AWS Certified SysOps Administrator – Associate (legacy) — Question 600

An application is currently deployed on several Amazon EC2 instances that reside within a VPC. Due to compliance requirements, the EC2 instances cannot have access to the public internet. SysOps Administrators require SSH access to EC2 instances from their corporate office to perform maintenance and other administrative tasks.
Which combination of actions should be taken to permit SSH access to the EC2 instances while meeting the compliance requirements? (Choose two.)

Answer options

• A. Attach a NAT gateway to the VPC and configure routing
• B. Attach a virtual private gateway to the VPC and configure routing
• C. Attach an internet gateway to the VPC and configure routing
• D. Configure a VPN connection back to the corporate office
• E. Configure an Application Load Balancer in front of the EC2 instances

Correct answer: A, D

Explanation

Deploying a NAT gateway allows the EC2 instances in private subnets to securely initiate outbound traffic for software updates and patches without being exposed to inbound public internet traffic. Establishing a VPN connection back to the corporate office provides administrators with a secure, private tunnel to SSH directly into the EC2 instances without routing traffic over the public internet.