What should a security engineer do to configure access to these EC2 instances to meet these requirements?
Use the EC2 serial console. Configure the EC2 serial console to save all commands that are entered to an Amazon S3 bucket. Provide the EC2 instances with an IAM role that allows the EC2 serial console to access Amazon S3. Configure an IAM account for the system administrator. Provide an IAM policy that allows the IAM account to use the EC2 serial console,
Use EC2 Instance Connect. Configure EC2 Instance Connect to save all commands that are entered to Amazon CloudWatch Logs. Provide the EC2 instances with an IAM role that allows the EC2 Instances to access CloudWatch Logs. Configure an IAM account for the system administrator. Provide an IAM policy that allows the IAM account to use EC2 Instance Connect.
Use an EC2 key pair with an EC2 instance that needs SSH access. Access the EC2 instance with this key pair by using SSH. Configure the EC2 instance to save all commands that are entered to Amazon CloudWatch Logs. Provide the EC2 instance with an IAM role that allows the EC2 instance to access Amazon S3 and CloudWatch Logs.
Use AWS Systems Manager Session Manager. Configure Session Manager to save all commands that are entered in a session to an Amazon S3 bucket. Provide the EC2 instances with an IAM role that allows Systems Manager to manage the EC2 instances. Configure an IAM account for the system administrator. Provide an IAM policy that allows the IAM account to use Session Manager.
Explanations:
EC2 serial console is a tool for troubleshooting EC2 instances, but it does not meet the requirement to save commands entered in the instance to CloudWatch or an S3 bucket for auditing. It also cannot replace SSH key pairs for emergency access in the required manner.
EC2 Instance Connect is a valid method for SSH access without requiring key pairs, but it does not support recording commands entered by users in CloudWatch Logs. This would not fulfill the auditing requirement.
While the use of EC2 key pairs allows SSH access, the question specifically requires preventing SSH access using key pairs. Furthermore, while CloudWatch Logs can capture commands, using EC2 key pairs would violate the requirement.
AWS Systems Manager Session Manager allows secure access without SSH key pairs and can log all commands to Amazon S3 or CloudWatch for auditing. It also fits the emergency access requirement and ensures compliance with the no SSH key pairs policy.
If I’m correct, the answer is:
Use AWS Systems Manager Session Manager. Configure Session Manager to save all commands that are entered in a session to an Amazon S3 bucket. Provide the EC2 instances with an IAM role that allows Systems Manager to manage the EC2 instances. Configure an IAM account for the system administrator. Provide an IAM policy that allows the IAM account to use Session Manager.