AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company recently launched a variety of new workloads on Amazon EC2 instances in its AWS account. The company needs to create a strategy to access and administer the instances remotely and securely. The company needs to implement a repeatable process that works with native AWS services and follows the AWS Well-Architected Framework.

Which solution will meet these requirements with the LEAST operational overhead?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Use the EC2 serial console to directly access the terminal interface of each instance for administration.

Attach the appropriate IAM role to each existing instance and new instance. Use AWS Systems Manager Session Manager to establish a remote SSH session.

Create an administrative SSH key pair. Load the public key into each EC2 instance. Deploy a bastion host in a public subnet to provide a tunnel for administration of each instance.

Establish an AWS Site-to-Site VPN connection. Instruct administrators to use their local on-premises machines to connect directly to the instances by using SSH keys across the VPN tunnel.

Explanation:

Explanation

Correct Answer: B

AWS Systems Manager Session Manager provides a secure, auditable, and managed way to access EC2 instances without the need for SSH keys, bastion hosts, or VPN connections. Here's why option B is the best choice:

Key Advantages:

Least Operational Overhead: Session Manager eliminates the need to manage SSH keys, bastion hosts, or VPN connections. It's fully managed by AWS.
Native AWS Service: Session Manager is part of AWS Systems Manager, a native AWS service.
Secure by Default:
- Uses IAM for authentication and authorization
- All sessions are logged to CloudTrail and S3/CloudWatch Logs
- No inbound ports need to be opened on security groups
- Encrypted connections using AWS KMS
Repeatable Process: Simply attach the appropriate IAM role (with SSM permissions) to instances, and they become accessible via Session Manager.
AWS Well-Architected Framework Alignment:
- Security: IAM-based access control, encryption, audit logging
- Operational Excellence: Centralized management, automation-ready
- Reliability: No single point of failure (unlike bastion hosts)

Why Other Options Are Not Optimal:

A. EC2 Serial Console:

Limited functionality (serial console access only)
Not suitable for general administration
Doesn't provide a complete remote access solution

C. Bastion Host with SSH Keys:

High operational overhead (managing SSH keys, bastion host maintenance)
Security risks (SSH key management, bastion host as single point of failure)
Not fully managed by AWS

D. Site-to-Site VPN with SSH:

Complex setup and maintenance
Requires on-premises infrastructure
High operational overhead for VPN management
SSH key management challenges

Implementation Steps for Option B:

Ensure EC2 instances have the SSM Agent installed (pre-installed on Amazon Linux 2, Ubuntu, etc.)
Attach an IAM role with the AmazonSSMManagedInstanceCore policy to instances
Configure IAM policies for users who need access
Use AWS Management Console, CLI, or SDK to start sessions

This solution provides the most secure, scalable, and operationally efficient approach for remote EC2 administration.

Powered ByGPT-5.2

Comments

Loading comments...