New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon SCS-C02 Exam - Topic 4 Question 54 Discussion

Actual exam question for Amazon's SCS-C02 exam
Question #: 54
Topic #: 4
[All SCS-C02 Questions]

[Infrastructure Security]

A company usesAWS Organizations to run workloads in multiple AWS accounts Currently the individual team members at the company access all Amazon EC2 instances remotely by using SSH or Remote Desktop Protocol (RDP) The company does not have any audit trails and security groups are occasionally open The company must secure access management and implement a centralized togging solution

Which solution will meet these requirements MOST securely?

Show Suggested Answer Hide Answer
Suggested Answer: C

To meet the requirements of securing access management and implementing a centralized logging solution, the most secure solution would be to:

Install a bastion host in the management account.

Reconfigure all SSH and RDP to allow access only from the bastion host.

Install AWS Systems Manager Agent (SSM Agent) on the bastion host.

Attach the AmazonSSMManagedlnstanceCore role to the bastion host.

Configure session data streaming to Amazon CloudWatch Logs in a separate logging account to audit log data

This solution provides the following security benefits:

It uses AWS Systems Manager Session Manager instead of traditional SSH and RDP protocols, which provides a secure method for accessing EC2 instances without requiring inbound firewall rules or open ports.

It provides audit trails by configuring Session Manager logging to Amazon CloudWatch Logs and creating a separate logging account to audit the log data.

It uses the AWS Systems Manager Agent to automate common administrative tasks and improve the security posture of the instances.

The separate logging account with cross-account permissions provides better data separation and improves security posture.

https://aws.amazon.com/solutions/implementations/centralized-logging/


by Lashaunda at Jan 05, 2026, 05:16 AM

Limited Time Offer

25%

Off

Get Premium SCS-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
My
3 days ago
D seems like overkill with the bastion host. I'd go with B for a simpler yet secure solution.
upvoted 0 times
...
Elmer
8 days ago
B looks good, but I'm not sure if CloudWatch Logs is the best option for centralized logging.
upvoted 0 times
...
Helaine
13 days ago
Option A seems the most comprehensive solution, covering all the requirements securely.
upvoted 0 times
...
Markus
18 days ago
I remember we talked about using bastion hosts, but I’m not sure if it’s the best approach here. I thought replacing SSH and RDP entirely with Session Manager was more secure.
upvoted 0 times
...
Deja
23 days ago
I feel like option C is a strong choice since it mentions cross-account permissions, but I'm a bit uncertain about how the logging account should be set up.
upvoted 0 times
...
Adolph
28 days ago
I think option A sounds familiar, especially the part about configuring a bastion host. We practiced a similar question about centralized logging, but I can't recall the exact details.
upvoted 0 times
...
Francoise
1 month ago
I remember we discussed the importance of using AWS Systems Manager for secure access, but I'm not sure if we should go with Session Manager or State Manager for this scenario.
upvoted 0 times
...
Lauryn
1 month ago
Option E mentions using CloudTrail Insights, which could be a nice addition to the logging requirements. I'll need to look into how that compares to the CloudWatch Logs approach in the other options.
upvoted 0 times
...
Tonette
1 month ago
I'm leaning towards option D. Having a dedicated bastion host and separating the logging account seems like a really robust approach. The only thing I'm not sure about is the overhead of managing the bastion host.
upvoted 0 times
...
Shizue
2 months ago
Option A looks promising - it mentions using a bastion host and configuring trusted access, which could provide an extra layer of security. I'll need to research how that would work in practice to see if it's the best solution.
upvoted 0 times
...
Krystina
2 months ago
I'm a bit confused by the different options. They all seem to involve Systems Manager, but the details are a bit different. I'll need to carefully read through each one to understand the nuances and decide which one is the most secure.
upvoted 0 times
...
Shala
2 months ago
This question seems pretty straightforward. I think the best approach is to go with option B - it covers all the key requirements like replacing SSH/RDP, using Systems Manager, and setting up logging.
upvoted 0 times
...

Save Cancel