AWS Certified SysOps Administrator – Associate (legacy) — Question 93

A SysOps Administrator must use a bastion host to administer a fleet of Amazon EC2 instances. All access to the bastion host is managed by the Security team.
What is the MOST secure way for the Security team to provide the SysOps Administrator access to the bastion host?

Answer options

• A. Assign the same IAM role to the Administrator that is assigned to the bastion host.
• B. Provide the Administrator with the SSH key that was used for the bastion host when it was originally launched.
• C. Create a new IAM role with the same permissions as the Security team, and assign it to the Administrator.
• D. Create a new administrative account on the bastion host, and provide those credentials to the Administrator using AWS Secrets Manager.

Correct answer: D

Explanation

Option D is the most secure approach as it allows for the creation of a unique administrative account specifically for the Administrator, which can be managed and rotated securely through AWS Secrets Manager. Option A is insecure as it grants excessive permissions, while Option B risks exposing the bastion host's access credentials. Option C, while better, still does not isolate the Administrator's access in a way that mitigates risk effectively.