Exam AWS-SysOps topic 1 question 653 discussion

D is the MOST secure way of providing access. Providing the SSH key that was used while launching the instance, means providing root access. Its definitely not advisable to share the original keypair, and you also wouldn't be sure if the SysOps Admin would keep it safe. By creating an Administrative account, you can still restrict the access that is required by the admin (ALMOST full access but not root access), and storing the credentials in AWS Secrets Manger would ensure that they are safe and secure.

By creating a new administrative account on the bastion host, separate from the existing accounts managed by the Security team, and securely storing the credentials in AWS Secrets Manager, the Security team can provide controlled access to the SysOps Administrator. AWS Secrets Manager enables secure storage and retrieval of secrets, such as passwords and access keys, and provides integration with IAM for access management. This approach allows for fine-grained control over the access to the bastion host by managing the credentials separately. It also offers auditability and the ability to rotate the secrets periodically to enhance security.

I would go with D and not the default answer. Why not B? the orignal SSH key that the bastion was created is a PRIVATE key! You should never share your private key or else someone can use your identity. (this is why its called a PRIVATE key)

D is the answer

D. Create a new administrative account on the bastion host, and provide those credentials to the Administrator using AWS Secrets Manager.

I'll go with D

How can AWS Secrets Manager understand User/Password on Bastion Host. I go with B

Answer D:

D, is the MOST secure way.

B would be correct if a new key pair was provided. As the answer is mentioning the original key pair, I would avoid that answer and choose the more appropriate one which is D. A and C suggest providing similar credentials or role as the security team which doesn’t make sense.

B is not secure to share SSH keys! D is a better and more secure option

Answer D: B should be right if they not mentioned about "bastion host when it was originally launched". So, this not a correct answer. IF we are looking at a secure way of storing the keys, then Secret Manager is only an answer. Where, we can give access to the Security Team and their keys will be rotated based on the period we configure. https://aws.amazon.com/blogs/security/how-to-use-aws-secrets-manager-securely-store-rotate-ssh-key-pairs/

I think B is correct. Because AWS Secrets Manager is seen at not relate to remote Bastion Host. Normally, it will use for authentication for some another services (rds, user/pass parameter need encrypt + rorate).

B http://justsomestuff.co.uk/theblog/2017/01/15/using-a-bastion-host-to-access-your-aws-ec2-instances/

D. Create a new administrative account on the bastion host, and provide those credentials to the Administrator using AWS Secrets Manager.

What if the bastion host is Winidows RDP? I inclined to choose D

Both B & D are possible. But the question is Most Secure way which thinks to select D.