SOA-C02: What should SysOps do to resolve issue unable to connect to EC2 instance running Ubuntu and AWS SSM Agent pre-installed

Question

A company’s security policy states that connecting to Amazon EC2 instances is not permitted through SSH and ROP. If access is required, authorized staff can connect to instances by using AWS Systems Manager Session Manager.

Users report that they are unable to connect to one specific Amazon EC2 instance that is running Ubuntu and has AWS Systems Manager Agent (SSM Agent) pre-installed. These users are able to use Session Manager to connect to other instances in the same subnet, and they are in an IAM group that has Session Manager permission for all instances. What should a SysOps administrator do to resolve this issue?

A. Add an inbound rule for port 22 in the security group associated with the Ubuntu instance.
B. Assign the AmazonSSMManagedInstanceCore managed policy to the EC2 instance profile for the Ubuntu instance.
C. Configure the SSM Agent to log in with a user name of “ubuntu”.
D. Generate a new key pair, configure Session Manager to use this new key pair, and provide the private key to the users.

Answer

B. Assign the AmazonSSMManagedInstanceCore managed policy to the EC2 instance profile for the Ubuntu instance.

Explanation

Here is a detailed explanation for each option:

Option A: Add an inbound rule for port 22 in the security group associated with the Ubuntu instance.

• This option would allow SSH access to the Ubuntu instance by adding a rule to the security group that allows inbound traffic on port 22, which is the default port for SSH connections.
• However, since the security policy explicitly states that connecting to Amazon EC2 instances is not permitted through SSH, this option would violate the security policy and is not recommended.

Option B: Assign the AmazonSSMManagedInstanceCore managed policy to the EC2 instance profile for the Ubuntu instance.

• This option involves assigning a managed policy called “AmazonSSMManagedInstanceCore” to the EC2 instance profile associated with the Ubuntu instance.
• The “AmazonSSMManagedInstanceCore” managed policy provides the necessary permissions for AWS Systems Manager Session Manager to establish a connection with the EC2 instance.
• Assigning this managed policy to the EC2 instance profile would ensure that authorized staff can connect to the instance using AWS Systems Manager Session Manager, as specified in the security policy.
• Therefore, this option is the correct solution to resolve the issue.

Option C: Configure the SSM Agent to log in with a user name of “ubuntu”.

• The SSM Agent is responsible for establishing a connection between AWS Systems Manager Session Manager and the EC2 instance.
• Configuring the SSM Agent to log in with a specific user name would not resolve the issue because Session Manager does not rely on traditional username/password authentication.
• Instead, it uses AWS Identity and Access Management (IAM) roles and policies to control access to instances.
• Therefore, this option is not relevant to resolving the issue.

Option D: Generate a new key pair, configure Session Manager to use this new key pair, and provide the private key to the users.

• Session Manager does not require users to have access to private key pairs for SSH connections.
• Instead, it uses IAM roles and policies for authentication and authorization.
• Generating a new key pair and providing the private key to users would not resolve the issue because Session Manager does not use SSH keys for authentication.
• Therefore, this option is not relevant to resolving the issue.

Based on these explanations, Option B: Assign the AmazonSSMManagedInstanceCore managed policy to the EC2 instance profile for the Ubuntu instance is the correct solution to resolve the issue.

Please note that it’s important to follow your organization’s security policies and best practices when configuring access to Amazon EC2 instances.

Reference

• Session Manager unable to connect to instance in public subnet | AWS re:Post (repost.aws)
• Troubleshooting Session Manager – AWS Systems Manager (amazon.com)
• Troubleshoot Session Manager connection issues | AWS re:Post (repost.aws)
• Resolve session failure issues when using AWS Systems Manager Session Manager | AWS re:Post (repost.aws)

Amazon AWS Certified SysOps Administrator – Associate certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified SysOps Administrator – Associate exam and earn Amazon AWS Certified SysOps Administrator – Associate certification.