Which solution will meet these requirements?
Create an Amazon EventBridge rule to send notifications to the security team whenever a user logs in to an EC2 instance. Use EC2 Instance Connect to log in to the instances. Deploy Auto Scaling groups by using AWS CloudFormation. Use the cfn-init helper script to deploy appropriate VPC routes for external access. Rebuild the custom AMI so that the custom AMI includes AWS Systems Manager Agent.
Deploy a NAT gateway and a bastion host that has internet access. Create a security group that allows incoming traffic on all the EC2 instances from the bastion host. Install AWS Systems Manager Agent on all the EC2 instances. Use Auto Scaling group lifecycle hooks for monitoring and auditing access. Use Systems Manager Session Manager to log in to the instances. Send logs to a log group in Amazon CloudWatch Logs. Export data to Amazon S3 for auditing. Send notifications to the security team by using S3 event notifications.
Use EC2 Image Builder to rebuild the custom AMI. Include the most recent version of AWS Systems Manager Agent in the image. Configure the Auto Scaling group to attach the AmazonSSMManagedInstanceCore role to all the EC2 instances. Use Systems Manager Session Manager to log in to the instances. Enable logging of session details to Amazon S3. Create an S3 event notification for new file uploads to send a message to the security team through an Amazon Simple Notification Service (Amazon SNS) topic.
Use AWS Systems Manager Automation to build Systems Manager Agent into the custom AMI. Configure AWS Config to attach an SCP to the root organization account to allow the EC2 instances to connect to Systems Manager. Use Systems Manager Session Manager to log in to the instances. Enable logging of session details to Amazon S3. Create an S3 event notification for new file uploads to send a message to the security team through an Amazon Simple Notification Service (Amazon SNS) topic.
Explanations:
While using EC2 Instance Connect allows automated access, it does not centralize or automate the management of access effectively. The solution does not address logging access or notifying the security team about instance logins. Additionally, using cfn-init for VPC routes is unnecessary since the EC2 instances should not have internet access.
This option introduces a NAT gateway and a bastion host, which are not needed since the EC2 instances cannot access the internet. It also does not centralize access management and complicates the architecture. While it mentions using Systems Manager for session management, it relies on external access methods which contradicts the requirement of no internet access for the instances.
This option effectively rebuilds the custom AMI with the latest Systems Manager Agent, allowing for controlled access via Systems Manager Session Manager. It also includes proper logging of session details to S3 and creates an SNS notification system for the security team when new logs are uploaded, fulfilling all requirements of centralization and notification.
This option suggests using AWS Config to attach a Service Control Policy (SCP), which is not relevant for enabling Systems Manager access. It incorrectly assumes a configuration that may not work if EC2 instances are restricted from internet access. While it does mention using Systems Manager for access and logging, it fails to meet the requirements for centralized management and automated notifications effectively.