AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company has hundreds of Amazon EC2 Linux-based instances in the AWS Cloud. Systems administrators have used shared SSH keys to manage the instances. After a recent audit, the company's security team is mandating the removal of all shared keys. A solutions architect must design a solution that provides secure access to the EC2 instances.

Which solution will meet this requirement with the LEAST amount of administrative overhead?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Use AWS Systems Manager Session Manager to connect to the EC2 instances.

Use AWS Security Token Service (AWS STS) to generate one-time SSH keys on demand.

Allow shared SSH access to a set of bastion instances. Configure all other instances to allow only SSH access from the bastion instances.

Use an Amazon Cognito custom authorizer to authenticate users. Invoke an AWS Lambda function to generate a temporary SSH key.

Explanation:

Explanation

Correct Answer: A - Use AWS Systems Manager Session Manager to connect to the EC2 instances.

Why this is the correct answer:

Eliminates SSH keys entirely: AWS Systems Manager Session Manager provides a secure way to connect to EC2 instances without using SSH keys. It uses AWS Identity and Access Management (IAM) for authentication and authorization, completely eliminating the need for SSH key management.
Least administrative overhead: Session Manager requires minimal setup:
- Install the SSM Agent on EC2 instances (already installed on many Amazon Linux AMIs)
- Configure IAM roles with appropriate permissions
- No need to manage, rotate, or distribute SSH keys
- No bastion hosts to maintain
Security benefits:
- All sessions are logged to Amazon CloudWatch Logs and Amazon S3
- Session activity can be audited
- No inbound SSH ports need to be opened in security groups
- Uses AWS IAM for fine-grained access control

Why other options are incorrect:

B. Use AWS Security Token Service (AWS STS) to generate one-time SSH keys on demand.

This would still require managing SSH keys (even if temporary)
More complex implementation needed
Still requires SSH daemon configuration and key distribution

C. Allow shared SSH access to a set of bastion instances. Configure all other instances to allow only SSH access from the bastion instances.

This doesn't eliminate shared SSH keys, it just centralizes them
Still requires SSH key management on bastion hosts
Creates a single point of failure/attack
Requires maintaining bastion instances

D. Use an Amazon Cognito custom authorizer to authenticate users. Invoke an AWS Lambda function to generate a temporary SSH key.

Overly complex solution
Requires custom development and maintenance
Still involves SSH key generation and management
More administrative overhead than Session Manager

Key AWS Services Used:

AWS Systems Manager Session Manager: Provides secure, auditable instance management without SSH keys
IAM: Centralized access control and authentication
CloudWatch Logs: Session logging and auditing

This solution aligns with AWS best practices for secure instance management while minimizing administrative overhead.

Powered ByGPT-5.2

Comments

Loading comments...