Question 33
Domain 5: Data ProtectionA startup company hosts a fleet of Amazon EC2 instances in private subnets using the latest Amazon Linux 2 AMI. The company's engineers rely heavily on SSH access to the instances for troubleshooting. The company's existing architecture includes the following: A VPC with private and public subnets, and a NAT gateway. Site-to-Site VPN for connectivity with the on-premises environment. EC2 security groups with direct SSH access from the on-premises environment. The company needs to increase security controls around SSH access and provide auditing of commands run by the engineers. Which strategy should a solutions architect use?
Correct answer: D
Explanation
AWS Systems Manager Session Manager lets engineers connect without opening inbound SSH, so removing port 22 rules increases security. Attaching the "AmazonSSMManagedInstanceCore" role enables managed-instance access, and Session Manager provides auditing of sessions and commands through logged session activity. Using the "start-session" API avoids direct SSH while preserving troubleshooting access.
Why each option is right or wrong
A. Install and configure EC2 Instance Connect on the fleet of EC2 instances. Remove all security group rules attached to EC2 instances that allow inbound TCP on port 22. Advise the engineers to remotely access the instances by using the EC2 Instance Connect CLI.
EC2 Instance Connect still uses SSH access; it does not provide the same session auditing as Session Manager.
B. Update the EC2 security groups to only allow inbound TCP on port 22 to the IP addresses of the engineer's devices. Install the Amazon CloudWatch agent on all EC2 instances and send operating system audit logs to CloudWatch Logs.
Restricting port 22 by device IP still leaves inbound SSH open; CloudWatch agent collects logs, not interactive command auditing.
C. Update the EC2 security groups to only allow inbound TCP on port 22 to the IP addresses of the engineer's devices. Enable AWS Config for EC2 security group resource changes. Enable AWS Firewall Manager and apply a security group policy that automatically remediates changes to rules.
AWS Config and Firewall Manager govern security group changes, but they do not replace SSH with audited remote access.
D. Create an IAM role with the AmazonSSMManagedInstanceCore managed policy attached. Attach the IAM role to all the EC2 instances. Remove all security group rules attached to the EC2 instances that allow inbound TCP on port 22. Have the engineers install the AWS Systems Manager Session Manager plugin for their devices and remotely access the instances by using the start-session API call from Systems Manager.
AWS Systems Manager Session Manager is the supported control for shell access to EC2 without inbound SSH, and the instance profile must include the AWS managed policy AmazonSSMManagedInstanceCore so the SSM Agent can register and accept sessions. Under the IAM policy, the engineers can initiate access with the StartSession API, while the security group rule on TCP 22 can be removed entirely because no inbound SSH path is required; Session Manager also supports session logging for auditability of commands and activity.