How should a Security Engineer accomplish this?
Allow inbound access on port 22 at the security group attached to the instance. Use AWS Systems Manager Session Manager for shell access to Amazon EC2 instances with the user tag defined. Enable Amazon CloudWatch logging for Systems Manager sessions.
Use Amazon S3 to securely store one Privacy Enhanced Mail Certificate (PEM file) for each user. Allow Amazon EC2 to read from Amazon S3 and import every user that wants to use SSH to access EC2 instances. Allow inbound access on port 22 at the security group attached to the instance. Install the Amazon CloudWatch agent on the EC2 instance and configure it to ingest audit logs for the instance.
Deny inbound access on port 22 at the security group attached to the instance. Use AWS Systems Manager Session Manager for shell access to Amazon EC2 instances with the user tag defined. Enable Amazon CloudWatch logging for Systems Manager sessions.
Use Amazon S3 to securely store one Privacy Enhanced Mail Certificate (PEM file) for each team or group. Allow Amazon EC2 to read from Amazon S3 and import every user that wants to use SSH to access EC2 instance. Allow inbound access on port 22 at the security group attached to the instance. Install the Amazon CloudWatch agent on the EC2 instance and configure it to ingest audit logs for the instances.
Explanations:
Systems Manager Session Manager is not tagged by users directly in the provided scenario. This option requires security group access on port 22, which does not fulfill the traceability requirement through Systems Manager.
Storing PEM files in S3 is not an efficient way to manage SSH access or user traceability. It also requires the CloudWatch agent on EC2, which doesn’t fulfill the requirement of traceable SSH commands.
By denying inbound access on port 22 and using Systems Manager Session Manager with user tags, all user sessions are tracked and logged. CloudWatch logging ensures SSH command traceability.
Using a single PEM file for each team/group doesn’t provide traceability per user. It also introduces potential security concerns. CloudWatch logging for instance audit logs does not track individual SSH commands.
I have a feeling that the answer is:
Deny inbound access on port 22 at the security group attached to the instance. Use AWS Systems Manager Session Manager for shell access to Amazon EC2 instances with the user tag defined. Enable Amazon CloudWatch logging for Systems Manager sessions.