What should the DevOps engineer do to grant the contactors access to the application server?
Create an IAM user and SSH keys for each contractor. Add the public SSH key to the application server’s SSH authorized_keys file. Instruct the contractors to install the AWS CLI and AWS Systems Manager Session Manager plugin, update their AWS credentials files with their private keys, and use the aws ssm start-session command to gain access to the target application server instance ID.
Ask each contractor to securely send their SSH public key. Add this public key to the application server’s SSH authorized-keys file. Instruct the contractors to use their private key to connect to the application server through SSH.
Ask each contractor to securely send their SSH public key. Use EC2 pairs to import their key. Update the application server’s SSH authorized_keys file. Instruct the contractors to use their private key to connect to the application server through SSH.
Create an IAM user for each contractor with programmatic access. Add each user to an IAM group that has a policy that allows the ssm:StartSession action. Instruct the contractors to install the AWS CLI and AWS Systems Manager Session Manager plugin, update their AWS credentials files with their access keys, and use the aws ssm start-session to gain access to the target application server instance ID.
Explanations:
While the use of AWS Systems Manager (SSM) Session Manager is correct for accessing the private subnet, this option lacks clarity on how the contractors can securely access their IAM user credentials or interact with the AWS CLI without VPN access. The SSH key handling is also not mentioned as it should be included for proper authentication.
This option assumes direct SSH access, which is not possible for instances in a private subnet without VPN or direct access setup. It doesn’t consider SSM for secure access.
This option discusses SSH access, which is not suitable for instances in a private subnet without VPN. EC2 Key Pair import is not relevant here for external contractors without VPN access.
This option correctly outlines the use of AWS Systems Manager (SSM) Session Manager for secure access, with contractors using the AWS CLI and Session Manager plugin. This avoids the need for direct SSH access and works for instances in a private subnet.
I chart that the answer is:
Create an IAM user for each contractor with programmatic access. Add each user to an IAM group that has a policy that allows the ssm:StartSession action. Instruct the contractors to install the AWS CLI and AWS Systems Manager Session Manager plugin, update their AWS credentials files with their access keys, and use the aws ssm start-session to gain access to the target application server instance ID.