How can a solutions architect meet these requirements?

By:
On:
In: SAP-C02
Tagged:
With: 0 Comments
A research company is running daily simulations in the AWS Cloud to meet high demand.The simulations run on several hundred Amazon EC2 instances that are based on Amazon Linux 2.Occasionally, a simulation gets stuck and requires a cloud operations engineer to solve the problem by connecting to an EC2 instance through SSH.Company policy states that no EC2 instance can use the same SSH key and that all connections must be logged in AWS CloudTrail.

How can a solutions architect meet these requirements?

Launch new EC2 instances, and generate an individual SSH key for each instance. Store the SSH key in AWS Secrets Manager. Create a new IAM policy, and attach it to the engineers’ IAM role with an Allow statement for the GetSecretValue action. Instruct the engineers to fetch the SSH key from Secrets Manager when they connect through any SSH client.

Create an AWS Systems Manager document to run commands on EC2 instances to set a new unique SSH key. Create a new IAM policy, and attach it to the engineers’ IAM role with an Allow statement to run Systems Manager documents. Instruct the engineers to run the document to set an SSH key and to connect through any SSH client.

Launch new EC2 instances without setting up any SSH key for the instances. Set up EC2 Instance Connect on each instance. Create a new IAM policy, and attach it to the engineers’ IAM role with an Allow statement for the SendSSHPublicKey action. Instruct the engineers to connect to the instance by using a browser-based SSH client from the EC2 console.

Set up AWS Secrets Manager to store the EC2 SSH key. Create a new AWS Lambda function to create a new SSH key and to call AWS Systems Manager Session Manager to set the SSH key on the EC2 instance. Configure Secrets Manager to use the Lambda function for automatic rotation once daily. Instruct the engineers to fetch the SSH key from Secrets Manager when they connect through any SSH client.

Explanations:

Although Secrets Manager can securely store the unique SSH keys, managing individual keys per instance manually is inefficient and does not natively provide centralized logging in CloudTrail. Engineers would still need to connect using traditional SSH clients, which bypasses CloudTrail logging.

While Systems Manager can set up unique SSH keys, traditional SSH connections made afterward do not inherently log in CloudTrail. This approach lacks the centralized, auditable connection solution required by the company policy.

EC2 Instance Connect allows engineers to connect through a browser-based SSH client, which is logged in CloudTrail. By avoiding static keys and using ephemeral keys, it meets the company’s requirement for unique SSH access and centralized connection logging.

This option complicates the setup by adding Lambda and Secrets Manager without ensuring CloudTrail logging for SSH access. Manual key management via Secrets Manager also introduces complexity and potential security risks, as key rotation is handled outside a native AWS service.

Leave a Reply

Your email address will not be published. Required fields are marked *

18 + ten =