ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 654 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 654
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A company has several Amazon EC2 instances to both public and private subnets within a VPC that is not connected to the corporate network. A security group associated with the EC2 instances allows the company to use the Windows remote desktop protocol (RDP) over the internet to access the instances. The security team has noticed connection attempts from unknown sources. The company wants to implement a more secure solution to access the EC2 instances.
Which strategy should a solutions architect implement?

  • A. Deploy a Linux bastion host on the corporate network that has access to all instances in the VPC.
  • B. Deploy AWS Systems Manager Agent on the EC2 instances. Access the EC2 instances using Session Manager restricting access to users with permission.
  • C. Deploy a Linux bastion host with an Elastic IP address in the public subnet. Allow access to the bastion host from 0.0.0.0/0.
  • D. Establish a Site-to-Site VPN connecting the corporate network to the VPC. Update the security groups to allow access from the corporate network only.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by liono at Nov. 5, 2020, 1:29 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Ebi
Highly Voted 3 years, 7 months ago
Answer is B, with Systems Manager agent you can manage EC2 instances without the need to open inbound ports.
upvoted 25 times
...
Kelvin1477
Highly Voted 3 years, 7 months ago
I still prefer B or SSM Session Manager, as the other option is using Linux bastion where the question here is talking about Windows RDP which i believe the target instance is Windows Server
upvoted 13 times
...
SkyZeroZx
Most Recent 1 year, 10 months ago
Selected Answer: B
Answer is B, with Systems Manager agent you can manage EC2 instances without the need to open inbound ports.
upvoted 2 times
...
rsn
1 year, 11 months ago
Selected Answer: D
Option B is not talking about updating security groups. Underlying problem is still not resolved. D looks correct to me
upvoted 1 times
...
joancarles
2 years, 7 months ago
It would be necessary to add a role to the EC2 computers for SSM access, installing only the agent is not enough. On the other hand, users would have to change the use of RDP to open the session through the Fleet Manager, since from the connect tab, they would only get a power shell. For me, the most balanced answer would be D
upvoted 1 times
...
shotty1
3 years, 3 months ago
Selected Answer: B
it is B
upvoted 1 times
...
pititcu667
3 years, 3 months ago
Selected Answer: B
It a windows / ssm based question. it' trying to assert if you know about the remove login option of ssm
upvoted 1 times
...
vbal
3 years, 5 months ago
https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/connecting_to_windows_instance.html
upvoted 1 times
...
AzureDP900
3 years, 5 months ago
B is right. Systems manager manages EC2 instances
upvoted 1 times
...
AzureDP900
3 years, 5 months ago
D is right. Systems manager manages EC2 instances
upvoted 2 times
...
Liongeek
3 years, 6 months ago
I totally agree with all those who say it's B. I'd mark B too. I'm just a bit concern by "Windows remote desktop protocol" which can't be used with session manager.
upvoted 1 times
Viper57
3 years, 6 months ago
RDP isn't required if you use session manager as it can be accessed through the console. You can created a RDP tunnel through session manager if its completely necessary. https://awscloudsecvirtualevent.com/workshops/module1/rdp/
upvoted 2 times
Liongeek
3 years, 5 months ago
I switch to B thanks to this lab, we can use SSM to RDP an EC2 Windows instance
upvoted 1 times
...
...
...
andylogan
3 years, 6 months ago
It's B - Systems Manager agent can manage EC2 instances with RDP
upvoted 2 times
...
Goram113
3 years, 6 months ago
https://aws.amazon.com/blogs/mt/manage-aws-managed-microsoft-ad-resources-with-session-manager-port-forwarding/ it is B
upvoted 1 times
...
tgv
3 years, 6 months ago
BBB ---
upvoted 1 times
...
blackgamer
3 years, 6 months ago
B for sure
upvoted 1 times
...
WhyIronMan
3 years, 6 months ago
I'll go with B Guys, with Systems Manager agent you can manage EC2 instances without the need to leave open ports to the world. Also, you can control which user's can access Systems Manager, giving one more security control
upvoted 2 times
jobe42
3 years, 6 months ago
After Reading:https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/connecting_to_windows_instance.html#session-manager " After the session is started, you can run Powershell commands as you would through any other connection type. " , so no RDP, just PS => D
upvoted 1 times
TomPaschenda
3 years, 6 months ago
You can use Port Forwarding with SSM to still access via Remote Desktop: https://aws.amazon.com/about-aws/whats-new/2019/08/now-forward-traffic-between-a-local-and-remote-port-using-session-manager/ B is correct
upvoted 2 times
...
...
...
Tony_W
3 years, 6 months ago
The security team has noticed connection attempts. The ONLY way to stop this it seems is a site-to-site VPN. A and C won't work with Windows so they are auto out. Seems to me a VPN secures the connection, stops the outside attempts, and would allow RDP without any other config changes.
upvoted 1 times
WhyIronMan
3 years, 6 months ago
You're wrong. SSM Sessions manager works for windows and you don't need to leave the ports open to the world. https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/connecting_to_windows_instance.html#session-manager
upvoted 2 times
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago