What should a solutions architect do to meet these requirements MOST cost-effectively?
Create a bastion host in the same subnet as the EC2 instances. Grant the ec2:CreateVpnConnection IAM permission to the developers. Install EC2 Instance Connect so that the developers can connect to the EC2 instances.
Create an AWS Site-to-Site VPN connection between the corporate network and the VPC. Instruct the developers to use the Site-to-Site VPN connection to access the EC2 instances when the developers are on the corporate network. Instruct the developers to set up another VPN connection for access when they work remotely.
Create a bastion host in the public subnet of the VPConfigure the security groups and SSH keys of the bastion host to only allow connections and SSH authentication from the developers’ corporate and remote networks. Instruct the developers to connect through the bastion host by using SSH to reach the EC2 instances.
Attach the AmazonSSMManagedInstanceCore IAM policy to an IAM role that is associated with the EC2 instances. Instruct the developers to use AWS Systems Manager Session Manager to access the EC2 instances.
Explanations:
Creating a bastion host in the same subnet as the EC2 instances does not provide a secure or effective means for remote access, as it limits the network setup and would complicate security. Additionally, granting ec2IAM permission is unrelated to SSH access, and EC2 Instance Connect is not the most effective solution for this scenario.
Setting up a Site-to-Site VPN connection would require additional infrastructure and complexity for remote access, as developers would need to maintain two VPN connections. This increases costs and management overhead without providing a cost-effective solution for remote access to the EC2 instances.
While a bastion host in a public subnet can provide SSH access to EC2 instances, it requires additional configuration and management, such as securing SSH keys and implementing network access controls. This method can also introduce additional costs and potential security risks if not managed properly.
Using AWS Systems Manager Session Manager provides a secure and cost-effective method for accessing EC2 instances without the need for a bastion host or VPN connections. It leverages AWS services, simplifies management by eliminating the need for SSH keys and ports, and allows secure access to instances in a private subnet without exposing them to the internet.