AWS Certified SysOps Administrator – Associate (legacy) — Question 686

A SysOps Administrator needs to control access to groups of Amazon EC2 instances using AWS Systems Manager Session Manager. Specific tags on the EC2 instances have already been added.
Which additional actions should the Administrator take to control access? (Choose two.)

Answer options

• A. Attach an IAM policy to the users or groups that require access to the EC2 instances.
• B. Attach an IAM role to control access to the EC2 instances.
• C. Create a placement group for the EC2 instances and add a specific tag.
• D. Create a service account and attach it to the EC2 instances that need to be controlled.
• E. Create an IAM policy that grants access to any EC2 instances with a tag specified in the Condition element.

Correct answer: A, E

Explanation

To control access to specific EC2 instances via AWS Systems Manager Session Manager based on tags, you must create an IAM policy that uses a Condition element to restrict permissions to only those instances carrying the specified tags. This IAM policy must then be attached directly to the IAM users or groups who need to initiate the sessions. Other options like placement groups or service accounts do not provide user-level access control for Session Manager.