ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 276 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 276
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A security engineer has been tasked with implementing a solution that allows the company's development team to have interactive command line access to
Amazon EC2 Linux instances using the AWS Management Console.
Which steps should the security engineer take to satisfy this requirement maintaining least privilege?

  • A. Enable AWS Systems Manager in the AWS Management Console and configure for access to EC2 instances using the default AmazonEC2RoleforSSM role. Install the Systems Manager Agent on all EC2 Linux instances that need interactive access. Configure IAM user policies to allow development team access to the Systems Manager Session Manager and attach to the team's IAM users.
  • B. Enable console SSH access in the EC2 console. Configure IAM user policies to allow development team access to the AWS Systems Manager Session Manager and attach to the development team's IAM users.
  • C. Enable AWS Systems Manager in the AWS Management Console and configure to access EC2 instances using the default AmazonEC2RoleforSSM role. Install the Systems Manager Agent on all EC2 Linux instances that need interactive access. Configure a security group that allows SSH port 22 from all published IP addresses. Configure IAM user policies to allow development team access to the AWS Systems Manager Session Manager and attach to the team's IAM users.
  • D. Enable AWS Systems Manager in the AWS Management Console and configure to access EC2 instances using the default AmazonEC2RoleforSSM role. Install the Systems Manager Agent on all EC2 Linux instances that need interactive access. Configure IAM user policies to allow development team access to the EC2 console and attach to the team's IAM users.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by stamford at Aug. 25, 2021, 9:43 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
fais1985
Highly Voted 3 years, 9 months ago
A is correct, we have to use the System manager Session Manger , not the Ec2-Console
upvoted 20 times
...
Raphaello
Most Recent 1 year, 4 months ago
Selected Answer: A
Correct answer is A.
upvoted 1 times
...
ITGURU51
2 years, 2 months ago
Sessions manager provides secure remote access to EC2 instances and servers located in the data center. Session Manager is a fully managed AWS Systems Manager capability that lets you manage your Amazon EC2 instances through an interactive one-click browser-based shell or through the AWS CLI. Session Manager provides secure and auditable instance management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys. As result answer (A) provides least privilege by design.
upvoted 1 times
...
Smartphone
2 years, 5 months ago
"AmazonEC2RoleforSSM – This policy will be deprecated. In its place, use the AmazonSSMManagedInstanceCore policy to allow Systems Manager service core functionality on EC2 instances." https://docs.aws.amazon.com/systems-manager/latest/userguide/security_iam_service-with-iam.html Such type of questions will not come in exam. However, the correct answer is A.
upvoted 1 times
...
nupagazi
2 years, 5 months ago
I think both A & D are correct because the requirement does not mention anything about System Manager and just requires that interactive commanline access from Management console which provides both System manager and EC2 console. The only thing is with D you don't need to install SSM agent. Rf: https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-restrict-access-quickstart.html#restrict-access-quickstart-admin
upvoted 2 times
...
dcasabona
2 years, 11 months ago
Selected Answer: A
I go for option A.
upvoted 1 times
...
JOKERO
3 years, 1 month ago
You can create a policy that allows users to start sessions from only the Session Manager console and AWS Command Line Interface (AWS CLI), from only the Amazon Elastic Compute Cloud (Amazon EC2) console, or from all three.
upvoted 1 times
...
Jonfernz
3 years, 1 month ago
Selected Answer: A
A over D because you wouldn't want to give access to the EC2 console, where other workloads might be running.
upvoted 1 times
...
roger8978
3 years, 6 months ago
A. However the policy name should be AmazonSSMManagedInstanceCore.
upvoted 2 times
...
HananS
3 years, 8 months ago
AmazonEC2RoleforSSM This policy should be replaced by AmazonSSMManagedInstanceCore and will be deprecated soon. It enables an instance to use both core Systems Manager features and additional features such as Session Manager, directory join, CloudWatch, and storing command output to Amazon S3.
upvoted 1 times
...
hk436
3 years, 8 months ago
A is my answer.!
upvoted 3 times
...
robbyyy
3 years, 8 months ago
The Answer is D. You can create a policy that allows administrators to perform these tasks from only the Session Manager console and AWS CLI, from only the Amazon EC2 console, or from all three. https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-restrict-access-quickstart.html#restrict-access-quickstart-admin
upvoted 1 times
babaseun
3 years, 8 months ago
Your link shows the answer is A........ Session Manager console and AWS CLI
upvoted 2 times
...
...
dumma
3 years, 9 months ago
D is correct
upvoted 3 times
dumma
3 years, 8 months ago
It's A, not D. I take back my previous answer.
upvoted 2 times
...
...
dumma
3 years, 9 months ago
This role AmazonEC2RoleforSSM will be replaced by AmazonSSMManagedInstanceCore https://aws.amazon.com/blogs/mt/applying-managed-instance-policy-best-practices/
upvoted 3 times
...
stamford
3 years, 9 months ago
Hope it is D
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel