Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon SCS-C02 Exam - Topic 4 Question 54 Discussion

[Infrastructure Security]A company usesAWS Organizations to run workloads in multiple AWS accounts Currently the individual team members at the company access all Amazon EC2 instances remotely by using SSH or Remote Desktop Protocol (RDP) The company does not have any audit trails and security groups are occasionally open The company must secure access management and implement a centralized togging solutionWhich solution will meet these requirements MOST securely?
C) AmazonSSMManagedlnstanceCore role to the instances Configure session data streaming to Amazon CloudWatch Logs Create a separate logging account that has appropriate cross-account permissions to audit the log data
A) Configure trusted access for AWS System Manager in Organizations Configure a bastion host from the management account Replace SSH and RDP by using Systems Manager Session Manager from the management account Configure Session Manager logging to Amazon CloudWatch Logs
B) Replace SSH and RDP with AWS Systems Manager Session Manager Install Systems Manager Agent (SSM Agent) on the instances Attach the
D) Install a bastion host in the management account Reconfigure all SSH and RDP to allow access only from the bastion host Install AWS Systems Manager Agent (SSM Agent) on the bastion host Attach the AmazonSSMManagedlnstanceCore role to the bastion host Configure session data streaming to Amazon CloudWatch Logs in a separate logging account to audit log data
E) Replace SSH and RDP with AWS Systems Manager State Manager Install Systems Manager Agent (SSM Agent) on the instances Attach theAmazonSSMManagedlnstanceCore role to the instances Configure session data streaming to Amazon CloudTrail Use CloudTrail Insights to analyze the trail data

Amazon SCS-C02 Exam - Topic 4 Question 54 Discussion

Actual exam question for Amazon's SCS-C02 exam
Question #: 54
Topic #: 4
[All SCS-C02 Questions]

[Infrastructure Security]

A company usesAWS Organizations to run workloads in multiple AWS accounts Currently the individual team members at the company access all Amazon EC2 instances remotely by using SSH or Remote Desktop Protocol (RDP) The company does not have any audit trails and security groups are occasionally open The company must secure access management and implement a centralized togging solution

Which solution will meet these requirements MOST securely?

Show Suggested Answer Hide Answer
Suggested Answer: C

To meet the requirements of securing access management and implementing a centralized logging solution, the most secure solution would be to:

Install a bastion host in the management account.

Reconfigure all SSH and RDP to allow access only from the bastion host.

Install AWS Systems Manager Agent (SSM Agent) on the bastion host.

Attach the AmazonSSMManagedlnstanceCore role to the bastion host.

Configure session data streaming to Amazon CloudWatch Logs in a separate logging account to audit log data

This solution provides the following security benefits:

It uses AWS Systems Manager Session Manager instead of traditional SSH and RDP protocols, which provides a secure method for accessing EC2 instances without requiring inbound firewall rules or open ports.

It provides audit trails by configuring Session Manager logging to Amazon CloudWatch Logs and creating a separate logging account to audit the log data.

It uses the AWS Systems Manager Agent to automate common administrative tasks and improve the security posture of the instances.

The separate logging account with cross-account permissions provides better data separation and improves security posture.

https://aws.amazon.com/solutions/implementations/centralized-logging/


by Lashaunda at Jan 05, 2026, 05:16 AM

Limited Time Offer

25%

Off

Get Premium SCS-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Zana
1 month ago
I'm leaning towards option D. A bastion host adds an extra layer.
upvoted 0 times
...
Myra
1 month ago
Option C sounds good too. Separate logging account is smart.
upvoted 0 times
...
Jacquelyne
2 months ago
I prefer option B. It's simpler and still secure.
upvoted 0 times
...
Xuan
2 months ago
I think option A is the best. Centralized logging is crucial.
upvoted 0 times
...
Gearldine
2 months ago
C is good for cross-account logging, but is it really the most secure?
upvoted 0 times
...
Mona
2 months ago
I disagree, D adds unnecessary complexity with the bastion host.
upvoted 0 times
...
Thaddeus
2 months ago
Surprised they still use SSH/RDP, that's risky!
upvoted 0 times
...
Queen
3 months ago
I think B is better since it simplifies access management.
upvoted 0 times
...
Barrett
3 months ago
Option A seems solid with centralized logging.
upvoted 0 times
...
Izetta
3 months ago
A is the way to go. Gotta love that Systems Manager integration with Organizations!
upvoted 0 times
...
Reita
3 months ago
Haha, E is like using a sledgehammer to crack a nut. CloudTrail for session logging? Really?
upvoted 0 times
...
My
4 months ago
D seems like overkill with the bastion host. I'd go with B for a simpler yet secure solution.
upvoted 0 times
...
Elmer
4 months ago
B looks good, but I'm not sure if CloudWatch Logs is the best option for centralized logging.
upvoted 0 times
...
Helaine
4 months ago
Option A seems the most comprehensive solution, covering all the requirements securely.
upvoted 0 times
...
Markus
4 months ago
I remember we talked about using bastion hosts, but I’m not sure if it’s the best approach here. I thought replacing SSH and RDP entirely with Session Manager was more secure.
upvoted 0 times
...
Deja
4 months ago
I feel like option C is a strong choice since it mentions cross-account permissions, but I'm a bit uncertain about how the logging account should be set up.
upvoted 0 times
...
Adolph
5 months ago
I think option A sounds familiar, especially the part about configuring a bastion host. We practiced a similar question about centralized logging, but I can't recall the exact details.
upvoted 0 times
...
Francoise
5 months ago
I remember we discussed the importance of using AWS Systems Manager for secure access, but I'm not sure if we should go with Session Manager or State Manager for this scenario.
upvoted 0 times
...
Lauryn
5 months ago
Option E mentions using CloudTrail Insights, which could be a nice addition to the logging requirements. I'll need to look into how that compares to the CloudWatch Logs approach in the other options.
upvoted 0 times
...
Tonette
5 months ago
I'm leaning towards option D. Having a dedicated bastion host and separating the logging account seems like a really robust approach. The only thing I'm not sure about is the overhead of managing the bastion host.
upvoted 0 times
...
Shizue
5 months ago
Option A looks promising - it mentions using a bastion host and configuring trusted access, which could provide an extra layer of security. I'll need to research how that would work in practice to see if it's the best solution.
upvoted 0 times
...
Krystina
5 months ago
I'm a bit confused by the different options. They all seem to involve Systems Manager, but the details are a bit different. I'll need to carefully read through each one to understand the nuances and decide which one is the most secure.
upvoted 0 times
...
Shala
6 months ago
This question seems pretty straightforward. I think the best approach is to go with option B - it covers all the key requirements like replacing SSH/RDP, using Systems Manager, and setting up logging.
upvoted 0 times
Pamela
1 month ago
I agree with you, option B looks solid. It simplifies access management.
upvoted 0 times
...
...

Save Cancel