Which combinations of actions will accomplish this?
(Choose two.)
Allow inbound access to TCP port 22 in all associated EC2 security groups from the VPC CIDR range.
Attach an IAM policy with the necessary Systems Manager permissions to the existing IAM instance profile.
Create a VPC endpoint for Systems Manager in the desired Region.
Deploy a new EC2 instance that will act as a bastion host to the rest of the EC2 instance fleet.
Remove any default routes in the associated route tables.
Explanations:
Allowing inbound access to TCP port 22 from the VPC CIDR range would enable SSH access, which contradicts the requirement to use only AWS Systems Manager Session Manager for access. This would expose the EC2 instances to direct SSH connections.
Attaching an IAM policy with the necessary Systems Manager permissions to the existing IAM instance profile is essential for enabling EC2 instances to use Session Manager. This ensures that instances have the necessary permissions to establish sessions through Systems Manager.
Creating a VPC endpoint for Systems Manager allows secure access to the Systems Manager service over the AWS private network, avoiding public internet exposure. This is crucial for enhancing security and ensuring that access is only through a private network.
Deploying a new EC2 instance as a bastion host introduces additional complexity and does not align with the goal of eliminating SSH access. A bastion host is typically used for SSH access, which contradicts the objective of using only Session Manager.
Removing default routes in the associated route tables would disrupt connectivity within the VPC, potentially isolating resources rather than securing access. This does not contribute to enabling access through Session Manager or improve security.