Which additional actions should the administrator take to control access?
(Choose two.)
Attach an IAM policy to the users or groups that require access to the EC2 instances.
Attach an IAM role to control access to the EC2 instances.
Create a placement group for the EC2 instances and add a specific tag.
Create a service account and attach it to the EC2 instances that need to be controlled.
Create an IAM policy that grants access to any EC2 instances with a tag specified in the Condition element.
Explanations:
Attaching an IAM policy to the users or groups requiring access to the EC2 instances allows for specific permission management. This policy can specify conditions based on the instance tags, controlling who can access which instances via Session Manager.
Attaching an IAM role directly to EC2 instances does not control user access. Roles are used for granting permissions to AWS services on behalf of the instances, rather than managing user access to the instances themselves.
Creating a placement group is related to the physical placement of EC2 instances for performance optimization and does not control user access to those instances. Tagging alone does not influence access permissions.
Creating a service account and attaching it to the EC2 instances does not apply in this context. Service accounts are not a mechanism for controlling user access to EC2 instances through Session Manager.
Creating an IAM policy that grants access to EC2 instances based on a specific tag in the Condition element allows for fine-grained control over which instances a user can access. This directly leverages the tagging already in place.
I estimate that the answer is:
Attach an IAM policy to the users or groups that require access to the EC2 instances.