Learn the most secure solution for granting external support engineers access to the AWS Management Console and EC2 instances running in private subnets. Discover how to leverage AWS IAM Identity Center and Systems Manager Session Manager.
Table of Contents
Question
A company has applications that run in an organization in AWS Organizations. The company outsources operational support of the applications. The company needs to provide access for the external support engineers without compromising security.
The external support engineers need access to the AWS Management Console. The external support engineers also need operating system access to the company’s fleet ofAmazon EC2 instances that run Amazon Linux in private subnets.
Which solution will meet these requirements MOST securely?
A. Confirm that AWS Systems Manager Agent (SSM Agent) is installed on all instances. Assign an instance profile with the necessary policy to connect to Systems Manager. Use AWS IAM Identity Center to provide the external support engineers console access. Use Systems Manager Session Manager to assign the required permissions.
B. Confirm that AWS Systems Manager Agent (SSM Agent) is installed on all instances. Assign an instance profile with the necessary policy to connect to Systems Manager. Use Systems Manager Session Manager to provide local IAM user credentials in each AWS account to the external support engineers for console access.
C. Confirm that all instances have a security group that allows SSH access only from the external support engineers’ source IP address ranges. Provide local IAM user credentials in each AWS account to the external support engineers for console access. Provide each external support engineer an SSH key pair to log in to the application instances.
D. Create a bastion host in a public subnet. Set up the bastion host security group to allow access from only the external engineers’ IP address ranges. Ensure that all instances have a security group that allows SSH access from the bastion host. Provide each external support engineer an SSH key pair to log in to the application instances. Provide local account IAM user credentials to the engineers for console access.
Answer
A. Confirm that AWS Systems Manager Agent (SSM Agent) is installed on all instances. Assign an instance profile with the necessary policy to connect to Systems Manager. Use AWS IAM Identity Center to provide the external support engineers console access. Use Systems Manager Session Manager to assign the required permissions.
Explanation
The most secure solution to provide external support engineers access to the AWS Management Console and Amazon EC2 instances running in private subnets is Option A:
- Confirm that AWS Systems Manager Agent (SSM Agent) is installed on all instances. This allows the instances to be managed by AWS Systems Manager.
- Assign an instance profile with the necessary policy to connect to Systems Manager. The instance profile grants the required permissions to the EC2 instances to communicate with Systems Manager.
- Use AWS IAM Identity Center to provide the external support engineers console access. IAM Identity Center allows you to centrally manage access to multiple AWS accounts and provide users with single sign-on access to the AWS Management Console.
- Use Systems Manager Session Manager to assign the required permissions. Session Manager provides secure and auditable instance management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys. You can control access to instances using IAM policies.
This solution is the most secure because:
- It leverages IAM Identity Center for centralized access management and single sign-on to the AWS Management Console.
- It uses Systems Manager Session Manager for secure and auditable access to EC2 instances in private subnets, eliminating the need for SSH access or bastion hosts.
- It relies on IAM roles and policies to grant the necessary permissions, following the principle of least privilege.
The other options have security drawbacks:
- Option B uses local IAM user credentials instead of IAM Identity Center, which is less secure and harder to manage across multiple accounts.
- Options C and D rely on allowing SSH access to the instances, which is less secure than using Systems Manager Session Manager. They also require managing SSH key pairs and exposing the instances to the internet (either directly or via a bastion host).
Amazon AWS Certified Solutions Architect – Associate SAA-C03 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Solutions Architect – Associate SAA-C03 exam and earn Amazon AWS Certified Solutions Architect – Associate SAA-C03 certification.