A company requires that SSH commands used to access its AWS instance be traceable to the user who executed each command. How should a Security Engineer accomplish this?
A.
Allow inbound access on port 22 at the security group attached to the instance. Use AWS Systems Manager Session Manager for shell access to Amazon EC2 instances with the user tag defined. Enable Amazon CloudWatch logging for Systems Manager sessions.
B.
Use Amazon S3 to securely store one Privacy Enhanced Mail Certificate (PEM file) for each user. Allow Amazon EC2 to read from Amazon S3 and import every user that wants to use SSH to access EC2 instances. Allow inbound access on port 22 at the security group attached to the instance. Install the Amazon CloudWatch agent on the EC2 instance and configure it to ingest audit logs for the instance.
C.
Deny inbound access on port 22 at the security group attached to the instance. Use AWS Systems Manager Session Manager for shell access to Amazon EC2 instances with the user tag defined. Enable Amazon CloudWatch logging for Systems Manager sessions.
D.
Use Amazon S3 to securely store one Privacy Enhanced Mail Certificate (PEM file) for each team or group. Allow Amazon EC2 to read from Amazon S3 and import every user that wants to use SSH to access EC2 instance. Allow inbound access on port 22 at the security group attached to the instance. Install the Amazon CloudWatch agent on the EC2 instance and configure it to ingest audit logs for the instances.
Per @JackLee1's shared AWS referenced URL
"Secure Access – You don’t have to manually set up user accounts, passwords, or SSH keys on the instances and you don’t have to open up any inbound ports. Session Manager communicates with the instances via the SSM Agent across an encrypted tunnel that originates on the instance, and does not require a bastion host."
Option C. Because, Deny port 22 so that we don't allow direct SSH access. Track all the Allow only through Systems Manager and seamlessly track all the activities
I think answer C is wrong because
1. Deny inbound access on port 22 at the security group attached to the instance.
U cannot actively deny a port with SG, which makes above step impossible.
2. U want to trace your users SSH commands.
When u cannot connect via SSH then u won't be able to trace your users via SSH.
Session Manager does not use SSH but the SSM agent in order to establish a connection to the instance. Therefore it does not fulfill the requirement of SSH tracing.
As per AWS: Session Manager provides secure and auditable node management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys. Session Manager also allows you to comply with corporate policies that require controlled access to managed nodes, strict security practices, and fully auditable logs. It also logs session activity and commands used during the connection.
A - Not correct, since direct access on ssh port 22 is not logged
B- Not correct, since direct accesss on ssh port 22 is not logged by cloud trail
C- Correct, by denying direct ssh, users are forced to use session manager and these sessions can be traced
D - Not correct
C since u dont need SSH for shell access using systems manager. And logging is possible since its not a SSH connection and systems manager will have access to the logs.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
JackLee1
Highly Voted 3 years, 9 months agoucsdmiami2020
3 years, 9 months agoKdosec
3 years, 8 months agofgg89
3 years, 3 months agoPeppaPig
Highly Voted 3 years, 9 months agoHungdv
3 years, 8 months agoRaphaello
Most Recent 1 year, 4 months agoSenthil_SPM
1 year, 9 months agoaddy_prepare
1 year, 10 months agosprial02
1 year, 11 months agoTofu13
2 years, 1 month agoITGURU51
2 years, 2 months agoHansD
2 years, 3 months agoMungKey
2 years, 10 months agoRja148393
2 years, 11 months agoritears41
2 years, 11 months agodcasabona
2 years, 11 months agoxaocho
2 years, 11 months agosapien45
2 years, 11 months agoTimileyin
2 years, 12 months agojackfei
3 years, 1 month ago