ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 338 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 338
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company does not allow the permanent installation of SSH keys onto an Amazon Linux 2 EC2 instance. However, three employees who have IAM user accounts require access to the EC2 instance. The employees must use an SSH session to perform critical duties.

How can a security engineer provide the appropriate access to the EC2 instance to meet these requirements?

  • A. Use AWS Systems Manager Inventory to select the EC2 instance and connect. Provide the IAM user accounts with the permissions to use Systems Manager Inventory.
  • B. Use AWS Systems Manager Run Command to open an SSH connection to the EC2 instance. Provide the IAM user accounts with the permissions to use Run Command.
  • C. Use AWS Systems Manager Session Manager. Provide the IAM user accounts with the permissions to use Systems Manager Session Manager.
  • D. Connect to the EC2 instance as the ec2-user through the AWS Management Console’s EC2 SSH client method. Provide the IAM user accounts with access to use the EC2 service in the AWS Management Console.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by AdamWest at Nov. 20, 2022, 7:33 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
AdamWest
Highly Voted 2 years, 7 months ago
Selected Answer: C
Revised answer- C Port forwarding Redirect any port inside your managed node to a local port on a client. After that, connect to the local port and access the server application that is running inside the node. Note Logging isn't available for Session Manager sessions that connect through port forwarding or SSH. This is because SSH encrypts all session data, and Session Manager only serves as a tunnel for SSH connections. https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html
upvoted 5 times
...
symplesims
Most Recent 2 years ago
C is correct "The employees must use an SSH session to perform critical duties." SSM not use SSH protocol, but support SSH Session - https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-sessions-start.html#sessions-start-ssh
upvoted 1 times
...
Green53
2 years ago
Selected Answer: D
I'd actually go D here, because of: "The employees must use an SSH session to perform critical duties." C does not provide an SSH session. Yes, it seem you can now tunnel the connection, as described here: https://repost.aws/knowledge-center/systems-manager-ssh-vpc-resources But that requires permanent installation of public keys (to verify the initial SSH connection). This is explictly not allowed. Since A/B are garbage, that really only leaves D. I don't see why D isn't related EC2 instance connect: https://aws.amazon.com/blogs/compute/new-using-amazon-ec2-instance-connect-for-ssh-access-to-your-ec2-instances/ Sounds exactly like what they're attempting to do. Provide SSH access via the console for IAM users. D uses temporary credentials to connect to the instance. Answer is D
upvoted 1 times
...
Toptip
2 years ago
Selected Answer: C
C is 100% correct. easy one...
upvoted 2 times
...
6_8ftwin
2 years ago
C For the people saying D, the method described (i.e., "AWS Management Console’s EC2 SSH client method") is not EC2 Instance Connect.
upvoted 1 times
...
Tofu13
2 years, 1 month ago
Selected Answer: D
Session Manager connects via ssm agent to the instance, which is apparently similar to SSH, but not the same. https://repost.aws/knowledge-center/systems-manager-ssh-vpc-resources (U can use real SSH tunnels once logged in though, but that's not the question)
upvoted 1 times
...
Mark1000
2 years, 1 month ago
Answer C https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html
upvoted 2 times
...
ITGURU51
2 years, 1 month ago
Session manager enables secure remote access to endpoints running in the cloud or in data center environments. C
upvoted 1 times
...
D2
2 years, 7 months ago
Selected Answer: C
Answer C
upvoted 3 times
...
AdamWest
2 years, 7 months ago
Selected Answer: D
D - Systems manager essentially disables ssh. In 2019 AWS provided Amazon EC2 Instance Connect, a new way to control SSH access to your EC2 instances using AWS Identity and Access Management (IAM). https://aws.amazon.com/blogs/compute/new-using-amazon-ec2-instance-connect-for-ssh-access-to-your-ec2-instances/
upvoted 2 times
D2
2 years, 7 months ago
As per Instance Connect feature, users would login using IAM user access. Whereas, in option users are logging in as 'ec2-user'. In my view - answer should be option C, not D
upvoted 1 times
Green53
2 years ago
The user authenticates as ec2-user on the instance (as it's Amazon Linux), but they use IAM for the initial authorisation.
upvoted 1 times
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel