Answer-first summary for fast verification
Answer: Use AWS Systems Manager Session Manager to connect to the EC2 instances.
## Explanation **Correct Answer: A - Use AWS Systems Manager Session Manager to connect to the EC2 instances.** **Why this is the correct answer:** 1. **Eliminates SSH keys entirely**: AWS Systems Manager Session Manager provides a secure way to connect to EC2 instances without using SSH keys. It uses AWS Identity and Access Management (IAM) for authentication and authorization, completely eliminating the need for SSH key management. 2. **Least administrative overhead**: Session Manager requires minimal setup: - Install the SSM Agent on EC2 instances (already installed on many Amazon Linux AMIs) - Configure IAM roles with appropriate permissions - No need to manage, rotate, or distribute SSH keys - No bastion hosts to maintain 3. **Security benefits**: - All sessions are logged to Amazon CloudWatch Logs and Amazon S3 - Session activity can be audited - No inbound SSH ports need to be opened in security groups - Uses AWS IAM for fine-grained access control **Why other options are incorrect:** **B. Use AWS Security Token Service (AWS STS) to generate one-time SSH keys on demand.** - This would still require managing SSH keys (even if temporary) - More complex implementation needed - Still requires SSH daemon configuration and key distribution **C. Allow shared SSH access to a set of bastion instances. Configure all other instances to allow only SSH access from the bastion instances.** - This doesn't eliminate shared SSH keys, it just centralizes them - Still requires SSH key management on bastion hosts - Creates a single point of failure/attack - Requires maintaining bastion instances **D. Use an Amazon Cognito custom authorizer to authenticate users. Invoke an AWS Lambda function to generate a temporary SSH key.** - Overly complex solution - Requires custom development and maintenance - Still involves SSH key generation and management - More administrative overhead than Session Manager **Key AWS Services Used:** - **AWS Systems Manager Session Manager**: Provides secure, auditable instance management without SSH keys - **IAM**: Centralized access control and authentication - **CloudWatch Logs**: Session logging and auditing This solution aligns with AWS best practices for secure instance management while minimizing administrative overhead.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company has hundreds of Amazon EC2 Linux-based instances in the AWS Cloud. Systems administrators have used shared SSH keys to manage the instances. After a recent audit, the company's security team is mandating the removal of all shared keys. A solutions architect must design a solution that provides secure access to the EC2 instances.
Which solution will meet this requirement with the LEAST amount of administrative overhead?
A
Use AWS Systems Manager Session Manager to connect to the EC2 instances.
B
Use AWS Security Token Service (AWS STS) to generate one-time SSH keys on demand.
C
Allow shared SSH access to a set of bastion instances. Configure all other instances to allow only SSH access from the bastion instances.
D
Use an Amazon Cognito custom authorizer to authenticate users. Invoke an AWS Lambda function to generate a temporary SSH key.