How can a solutions architect meet these requirements?

By:
On:
In: SAP-C01
Tagged:
With: 0 Comments
A research company is running daily simulations in the AWS Cloud to meet high demand.The simulations run on several hundred Amazon EC2 instances that are based on Amazon Linux 2.Occasionally, a simulation gets stuck and requires a cloud operations engineer to solve the problem by connecting to an EC2 instance through SSH.Company policy states that no EC2 instance can use the same SSH key and that all connections must be logged in AWS CloudTrail.

How can a solutions architect meet these requirements?

Launch new EC2 instances, and generate an individual SSH key for each instance. Store the SSH key in AWS Secrets Manager. Create a new IAM policy, and attach it to the engineers’ IAM role with an Allow statement for the GetSecretValue action. Instruct the engineers to fetch the SSH key from Secrets Manager when they connect through any SSH client.

Create an AWS Systems Manager document to run commands on EC2 instances to set a new unique SSH key. Create a new IAM policy, and attach it to the engineers’ IAM role with an Allow statement to run Systems Manager documents. Instruct the engineers to run the document to set an SSH key and to connect through any SSH client.

Launch new EC2 instances without setting up any SSH key for the instances. Set up EC2 Instance Connect on each instance. Create a new IAM policy, and attach it to the engineers’ IAM role with an Allow statement for the SendSSHPublicKey action. Instruct the engineers to connect to the instance by using a browser-based SSH client from the EC2 console.

Set up AWS Secrets Manager to store the EC2 SSH key. Create a new AWS Lambda function to create a new SSH key and to call AWS Systems Manager Session Manager to set the SSH key on the EC2 instance. Configure Secrets Manager to use the Lambda function for automatic rotation once daily. Instruct the engineers to fetch the SSH key from Secrets Manager when they connect through any SSH client.

Explanations:

This option suggests using AWS Secrets Manager to store individual SSH keys for each EC2 instance, which complies with the requirement of unique keys. However, it does not address the logging requirement in AWS CloudTrail for SSH connections. Additionally, the operational overhead of managing SSH keys in Secrets Manager can be significant and complex.

This option proposes using AWS Systems Manager to set new SSH keys on EC2 instances, which allows for unique keys. However, it does not directly address how the engineers would connect to the instances after generating the keys or how these connections would be logged in CloudTrail. It also requires the engineers to manually run the document to set the SSH key, which may not be efficient.

This option utilizes EC2 Instance Connect, which allows SSH access to EC2 instances without needing to manage individual SSH keys manually. It generates a unique SSH key for each connection and meets the requirement for logging connections in CloudTrail. The engineers can use a browser-based SSH client, simplifying the process and ensuring compliance with security policies.

While this option suggests using AWS Secrets Manager for storing SSH keys and includes a Lambda function for automatic key rotation, it introduces unnecessary complexity. The connection method still relies on the engineers manually fetching the keys, which could lead to operational delays. Furthermore, it doesn’t specifically address the direct logging of connections through CloudTrail, as access via Systems Manager Session Manager is not explicitly mentioned.

Leave a Reply

Your email address will not be published. Required fields are marked *

five × 2 =