What is the MOST secure way for the Security team to provide the SysOps Administrator access to the bastion host?
Assign the same IAM role to the Administrator that is assigned to the bastion host.
Provide the Administrator with the SSH key that was used for the bastion host when it was originally launched.
Create a new IAM role with the same permissions as the Security team, and assign it to the Administrator.
Create a new administrative account on the bastion host, and provide those credentials to the Administrator using AWS Secrets Manager.
Explanations:
Assigning the same IAM role to the Administrator as the bastion host does not grant access to the host itself. IAM roles control access to AWS resources, not EC2 instance login permissions.
Providing the SSH key used for the bastion host could expose sensitive access credentials. This approach is not recommended due to security concerns with sharing keys.
Creating a new IAM role with the same permissions as the Security team does not solve the issue of granting SSH access to the bastion host. IAM roles are for AWS resources, not EC2 login access.
Creating a new administrative account on the bastion host and storing the credentials in AWS Secrets Manager provides a secure and manageable way for the Administrator to access the host without exposing sensitive information.
I sort that the answer is:
Create a new administrative account on the bastion host, and provide those credentials to the Administrator using AWS Secrets Manager.
In my opinion, the answer is:
Create a new administrative account on the bastion host, and provide those credentials to the Administrator using AWS Secrets Manager.