Amazon SCS-C03 Exam - Topic 5 Question 3 Discussion

Actual exam question for Amazon's SCS-C03 exam

Question #: 3
Topic #: 5

A company is attempting to conduct forensic analysis on an Amazon EC2 instance, but the company is unable to connect to the instance by using AWS Systems Manager Session Manager. The company has installed AWS Systems Manager Agent (SSM Agent) on the EC2 instance.

The EC2 instance is in a subnet in a VPC that does not have an internet gateway attached. The company has associated a security group with the EC2 instance. The security group does not have inbound or outbound rules. The subnet's network ACL allows all inbound and outbound traffic.

Which combination of actions will allow the company to conduct forensic analysis on the EC2 instance without compromising forensic data? (Select THREE.)

AUpdate the EC2 instance security group to add a rule that allows outbound traffic on port 443 for 0.0.0.0/0.

BUpdate the EC2 instance security group to add a rule that allows inbound traffic on port 443 to the VPC's CIDR range.

CCreate an EC2 key pair. Associate the key pair with the EC2 instance.

DCreate a VPC interface endpoint for Systems Manager in the VPC where the EC2 instance is located.

EAttach a security group to the VPC interface endpoint. Allow inbound traffic on port 443 to the VPC's CIDR range.

FCreate a VPC interface endpoint for the EC2 instance in the VPC where the EC2 instance is located.

Show Suggested Answer

Suggested Answer: A, D, E

AWS Systems Manager Session Manager requires secure outbound HTTPS connectivity from the EC2 instance to Systems Manager endpoints. In a VPC without internet access, AWS Certified Security -- Specialty documentation recommends using interface VPC endpoints to enable private connectivity without exposing the instance to the internet.

Creating a VPC interface endpoint for Systems Manager allows the SSM Agent to communicate securely with the Systems Manager service. The endpoint must have an attached security group that allows inbound traffic on port 443 from the VPC CIDR range. Additionally, the EC2 instance security group must allow outbound HTTPS traffic on port 443 so the agent can initiate connections.

Option C is incorrect because creating or associating key pairs enables SSH access, which can alter forensic evidence and violates forensic best practices. Option B is unnecessary because Session Manager does not require inbound rules on the EC2 instance. Option F is invalid because EC2 does not use interface endpoints for management connectivity.

This combination ensures secure, private access for forensic investigation while preserving evidence integrity and adhering to AWS incident response best practices.

Referenced AWS Specialty Documents:

AWS Certified Security -- Specialty Official Study Guide

AWS Systems Manager Session Manager Architecture

AWS Incident Response and Forensics Best Practices

by Rosamond at Jan 26, 2026, 03:27 PM

Limited Time Offer

25%

1 month ago

I think the key here is to establish a secure connection between the EC2 instance and the Systems Manager service. Options D and E look promising, as they involve creating a VPC interface endpoint and configuring the security group to allow the necessary traffic.

upvoted 0 times

...