ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 497 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 497
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company is attempting to conduct forensic analysis on an Amazon EC2 instance, but the company is unable to connect to the instance by using AWS Systems Manager Session Manager. The company has installed AWS Systems Manager Agent (SSM Agent) on the EC2 instance.

The EC2 instance is in a subnet in a VPC that does not have an internet gateway attached. The company has associated a security group with the EC2 instance. The security group does not have inbound or outbound rules. The subnet's network ACL allows all inbound and outbound traffic.

Which combination of actions will allow the company to conduct forensic analysis on the EC2 instance without compromising forensic data? (Choose three.)

  • A. Update the EC2 instance security group to add a rule that allows outbound traffic on port 443 for 0.0.0.0/0.
  • B. Update the EC2 instance security group to add a rule that allows inbound traffic on port 443 to the VPC's CIDR range.
  • C. Create an EC2 key pair. Associate the key pair with the EC2 instance.
  • D. Create a VPC interface endpoint for Systems Manager in the VPC where the EC2 instance is located.
  • E. Attach a security group to the VPC interface endpoint. Allow inbound traffic on port 443 to the VPC's CIDR range.
  • F. Create a VPC interface endpoint for the EC2 instance in the VPC where the EC2 instance is located.
Show Suggested Answer Hide Answer
Suggested Answer: ADE 🗳️
by cloudenthusiast at June 4, 2023, 1:55 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
yorkicurke
1 year, 6 months ago
Selected Answer: ADE
why i think Option B is not valid here; Option B: The traffic from Systems Manager to the EC2 instance is initiated by the instance itself, not by Systems Manager. The EC2 instances themselves initiate the traffic to Systems Manager, not the other way around. This is because the instances need to reach out to the Systems Manager service to receive commands and configurations.
upvoted 1 times
...
Nuha_23
1 year, 10 months ago
Selected Answer: ADE
https://aws.amazon.com/fr/blogs/mt/automated-configuration-of-session-manager-without-an-internet-gateway/
upvoted 1 times
...
Green53
2 years ago
Selected Answer: ADE
Refer to the docs: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-prerequisites.html The managed nodes you connect to must also allow HTTPS (port 443) outbound traffic to the following (public) endpoints. Alternatively, you can connect to the required endpoints by using interface endpoints. and no inbound ports are required (remember, SGs are stateful) on the EC2 instance itself, refer to: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html You can use this functionality to connect to managed nodes without opening inbound ports or maintaining bastion hosts.
upvoted 2 times
...
6_8ftwin
2 years ago
Selected Answer: ADE
One of the benefits of session manager is that it "provides secure and auditable node management without the need to open inbound ports." In other words, the EC2 instance has no need for open inbound ports (SGs are stateful). https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html#session-manager-who The default outbound security group rules normally allow all ports, protocols, and IP addresses: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/default-custom-security-groups.html#default-security-group Restricting outbound connections to port 443 is a better security practice and necessary to connect to the VPC endpoint: https://repost.aws/questions/QUARF56BqXQaKrU27VTPSNYQ/security-group-for-session-manager No trolls that I see.
upvoted 2 times
...
Toptip
2 years ago
Selected Answer: BDE
B+D+E be careful from AWS trolls... they're trying very hard to mislead you Lol...
upvoted 1 times
Green53
2 years ago
https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html States that no inbound ports are required.
upvoted 2 times
...
szmulder
1 year, 5 months ago
You are correct, as the https://aws.amazon.com/fr/blogs/mt/automated-configuration-of-session-manager-without-an-internet-gateway/ shows, you only need to open the 443 to the VPC crid not 0.0.0.0
upvoted 3 times
...
...
cloudenthusiast
2 years, 1 month ago
Selected Answer: ADE
A. Update the EC2 instance security group to add a rule that allows outbound traffic on port 443 for 0.0.0.0/0: By allowing outbound traffic on port 443, the EC2 instance will be able to establish a connection to the Systems Manager service. D. Create a VPC interface endpoint for Systems Manager in the VPC where the EC2 instance is located: Creating a VPC interface endpoint enables private access to the Systems Manager service within the VPC. E. Attach a security group to the VPC interface endpoint and allow inbound traffic on port 443 to the VPC's CIDR range: By attaching a security group to the VPC interface endpoint and allowing inbound traffic on port 443 from the VPC's CIDR range, the necessary network connectivity is established for Systems Manager to communicate with the EC2 instance securely.
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel