ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 367 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 367
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company wants to prevent SSH access through the use of SSH key pairs for any Amazon Linux 2 Amazon EC2 instances in its AWS account. However, a system administrator occasionally will need to access these EC2 instances through SSH in an emergency. For auditing purposes, the company needs to record any commands that a user runs in an EC2 instance.

What should a security engineer do to configure access to these EC2 instances to meet these requirements?

  • A. Use the EC2 serial console. Configure the EC2 serial console to save all commands that are entered to an Amazon S3 bucket. Provide the EC2 instances with an IAM role that allows the EC2 serial console to access Amazon S3. Configure an IAM account for the system administrator. Provide an IAM policy that allows the IAM account to use the EC2 serial console,
  • B. Use EC2 Instance Connect. Configure EC2 Instance Connect to save all commands that are entered to Amazon CloudWatch Logs. Provide the EC2 instances with an IAM role that allows the EC2 Instances to access CloudWatch Logs. Configure an IAM account for the system administrator. Provide an IAM policy that allows the IAM account to use EC2 Instance Connect.
  • C. Use an EC2 key pair with an EC2 instance that needs SSH access. Access the EC2 instance with this key pair by using SSH. Configure the EC2 instance to save all commands that are entered to Amazon CloudWatch Logs. Provide the EC2 instance with an IAM role that allows the EC2 instance to access Amazon S3 and CloudWatch Logs.
  • D. Use AWS Systems Manager Session Manager. Configure Session Manager to save all commands that are entered in a session to an Amazon S3 bucket. Provide the EC2 instances with an IAM role that allows Systems Manager to manage the EC2 instances. Configure an IAM account for the system administrator. Provide an IAM policy that allows the IAM account to use Session Manager.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by AdamWest at Nov. 20, 2022, 10:28 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
luisfsm_111
Highly Voted 2 years, 5 months ago
Selected Answer: D
I think it's D. With Session Manager, any command can be sent to S3 or CloudWatch logs, while on Instance Connect only the API requests are sent to Cloudtrail.
upvoted 5 times
AdamWest
2 years, 5 months ago
I agree.
upvoted 1 times
...
...
Toptip
Most Recent 1 year, 11 months ago
Selected Answer: D
D Steps To log session data using Amazon S3 (console) Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/. In the navigation pane, choose Session Manager. Choose the Preferences tab, and then choose Edit. Select the check box next to Enable under S3 logging. (Recommended) Select the check box next to Allow only encrypted S3 buckets. With this option turned on, log data is encrypted using the server-side encryption key specified for the bucket. If you don't want to encrypt the log data that is sent to Amazon S3, clear the check box. You must also clear the check box if encryption isn't allowed on the S3 bucket. For S3 bucket name, select one of the following:
upvoted 1 times
...
ITGURU51
2 years ago
To meet the requirements of preventing SSH access through the use of SSH key pairs while still allowing occasional emergency access by a system administrator and recording any commands that a user runs in an EC2 instance for auditing purposes, a security engineer should use AWS Systems Manager Session Manager. They should configure Session Manager to save all commands that are entered in a session to an Amazon S3 bucket.
upvoted 2 times
...
KarthikRaveRaam
2 years, 4 months ago
Agree with D. But this statement is my concern "However, a system administrator occasionally will need to access these EC2 instances through SSH in an emergency."
upvoted 3 times
secdaddy
2 years, 4 months ago
"You can allow users in your AWS account to use the AWS Command Line Interface (AWS CLI) to establish Secure Shell (SSH) connections to managed nodes using AWS Systems Manager Session Manager." https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html
upvoted 3 times
...
...
tainh
2 years, 5 months ago
Selected Answer: D
D is correct 1. prevent SSH access: use Session Manager (SSM) 2. record any command that users runs in an EC2 Instance: save all command to S3 buckets https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-logging.html#session-manager-logging-s3
upvoted 3 times
...
landsamboni
2 years, 5 months ago
Selected Answer: D
Should be D
upvoted 1 times
...
D2
2 years, 5 months ago
Selected Answer: D
Answer D
upvoted 1 times
...
AdamWest
2 years, 5 months ago
Selected Answer: D
D - After review I agree it should be D
upvoted 1 times
...
Isaias
2 years, 5 months ago
Selected Answer: D
I agree with D
upvoted 1 times
...
AdamWest
2 years, 5 months ago
Selected Answer: B
B --75% https://medium.com/the-scale-factory/should-you-use-aws-ec2-instance-connect-to-ssh-into-your-instances-5c13b5fd565a
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago