New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon SAA-C03 Exam - Topic 4 Question 26 Discussion

Actual exam question for Amazon's SAA-C03 exam
Question #: 26
Topic #: 4
[All SAA-C03 Questions]

A company's developers want a secure way to gain SSH access on the company's Amazon EC2 instances that run the latest version of Amazon Linux. The developers work remotely and in the corporate office.

The company wants to use AWS services as a part of the solution. The EC2 instances are hosted in a VPC private subnet and access the internet through a NAT gateway that is deployed in a public subnet.

What should a solutions architect do to meet these requirements MOST cost-effectively?

Show Suggested Answer Hide Answer
Suggested Answer: D

AWS Systems Manager Session Manager is a service that enables you to securely connect to your EC2 instances without using SSH keys or bastion hosts. You can use Session Manager to access your instances through the AWS Management Console, the AWS CLI, or the AWS SDKs. Session Manager uses IAM policies and roles to control who can access which instances. By attaching the AmazonSSMManagedlnstanceCore IAM policy to an IAM role that is associated with the EC2 instances, you grant the Session Manager service the necessary permissions to perform actions on your instances. You also need to attach another IAM policy to the developers' IAM users or roles that allows them to start sessions to the instances. Session Manager uses the AWS Systems Manager Agent (SSM Agent) that is installed by default on Amazon Linux 2 and other supported Linux distributions. Session Manager also encrypts all session data between your client and your instances, and streams session logs to Amazon S3, Amazon CloudWatch Logs, or both for auditing purposes. This solution is the most cost-effective, as it does not require any additional resources or services, such as bastion hosts, VPN connections, or NAT gateways. It also simplifies the security and management of SSH access, as it eliminates the need for SSH keys, port opening, or firewall rules.Reference:

What is AWS Systems Manager?

Setting up Session Manager

Getting started with Session Manager

Controlling access to Session Manager

Logging Session Manager activity


by Leonida at Dec 11, 2023, 10:26 PM

Limited Time Offer

25%

Off

Get Premium SAA-C03 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Lezlie
3 months ago
D is definitely cost-effective and secure!
upvoted 0 times
...
Kenneth
3 months ago
C sounds risky with SSH keys; I'd avoid that.
upvoted 0 times
...
Britt
3 months ago
Surprised that a bastion host is still a common solution!
upvoted 0 times
...
Leonora
4 months ago
I think B is overkill for remote access.
upvoted 0 times
...
Lorrie
4 months ago
Option D is the best choice for secure access without exposing SSH.
upvoted 0 times
...
Renea
4 months ago
I believe creating a bastion host in the public subnet is a common practice, but I wonder if it’s the best choice considering security and cost.
upvoted 0 times
...
Elmira
4 months ago
I practiced a similar question about VPN connections, but I feel like setting up a Site-to-Site VPN for remote access might be overkill for this scenario.
upvoted 0 times
...
Cristen
4 months ago
I think using AWS Systems Manager Session Manager could be a good option since it doesn't require opening SSH ports, but I can't recall if it’s the most cost-effective solution.
upvoted 0 times
...
Oretha
5 months ago
I remember studying about bastion hosts, but I'm not sure if they should be in the same subnet as the EC2 instances or in a public subnet.
upvoted 0 times
...
Rashad
5 months ago
I'm not sure which option is the most cost-effective. I'll need to do some research on the pricing and operational costs of each AWS service mentioned to make an informed decision.
upvoted 0 times
...
Danilo
5 months ago
I'm leaning towards Option D with the AWS Systems Manager approach. It seems like it could be a simpler and more managed solution, but I'll need to double-check the pricing and security implications.
upvoted 0 times
...
Selma
5 months ago
Option C looks promising to me. Creating a bastion host in the public subnet and restricting access to the developers' networks seems like a secure and cost-effective solution.
upvoted 0 times
...
Junita
5 months ago
I'm a bit confused by the different AWS services mentioned here. I'll need to review my notes on VPNs, bastion hosts, and Systems Manager to make sure I understand the pros and cons of each option.
upvoted 0 times
...
Yoko
5 months ago
This seems like a tricky question, but I think I have a good strategy. I'll carefully read through the options and consider the cost-effectiveness and security aspects of each approach.
upvoted 0 times
...
Anthony
5 months ago
Encrypting the passwords as environment variables could be an option, but I'm not sure if that's the most secure approach. I'd want to double-check the documentation to make sure that meets all the requirements.
upvoted 0 times
...
Renato
5 months ago
I'm drawing a blank on this one. The TOGAF principles aren't something I've fully committed to memory. I'll have to make an educated guess and hope for the best.
upvoted 0 times
...
Shawna
5 months ago
Dumpster diving is definitely the way to go here. That's the classic technique for finding sensitive documents that haven't been properly shredded or disposed of. Easy choice.
upvoted 0 times
...
Rene
2 years ago
True, but with Option D, the developers would still need to be granted the AmazonSSMManagedlnstanceCore IAM policy, which could be a bit of a pain to manage. And what if the developers need to do some advanced troubleshooting that requires direct SSH access? The bastion host approach in Option C seems more flexible.
upvoted 0 times
...
Carole
2 years ago
I'm not so sure about Option C. Doesn't that mean the developers will have to go through an extra hop to access the EC2 instances? That could slow things down and be a bit of a hassle for them. Option D with AWS Systems Manager Session Manager seems like it could be more user-friendly.
upvoted 0 times
Buddy
2 years ago
Exactly, Option D seems like the most user-friendly and secure solution for SSH access to EC2 instances.
upvoted 0 times
...
Dorothea
2 years ago
And they can do it without the extra hop through a bastion host like Option C.
upvoted 0 times
...
Ashley
2 years ago
True, with Option D, developers can access EC2 instances without having to manage SSH keys.
upvoted 0 times
...
Cordie
2 years ago
That's a good point. Option D with AWS Systems Manager Session Manager could be more secure.
upvoted 0 times
...
Quentin
2 years ago
But won't granting ec2:CreateVpnConnection IAM permission to developers be a security risk?
upvoted 0 times
...
Markus
2 years ago
I think Option A might be the best choice. It allows developers to connect to EC2 instances directly.
upvoted 0 times
...
...
Fletcher
2 years ago
Haha, yeah, imagine if the developers tried to use Option A and accidentally created a VPN connection instead of using EC2 Instance Connect. That would be a real 'connect the dots' kind of moment.
upvoted 0 times
...
Willow
2 years ago
Good one! Although, to be fair, Option A does seem a bit overly complex for this use case. I think the best solution is still Option C - it's secure, cost-effective, and gives the developers the access they need without too much extra hassle.
upvoted 0 times
...

Save Cancel