Which solution meets these requirements for remote access to the application instances?

By:
In: SAP-C01
Tagged:
With: 1 Comment
A company recently deployed a new application that runs on a group of Amazon EC2 Linux instances in a VPC.In a peered VPC, the company launched an EC2Linux instance that serves as a bastion host.The security group of the application instances allows access only on TCP port 22 from the private IP of the bastion host.The security group of the bastion host allows access to TCP port 22 from 0.0.0.0/0 so that system administrators can use SSH to remotely log in to the application instances from several branch offices.While looking through operating system logs on the bastion host, a cloud engineer notices thousands of failed SSH logins to the bastion host from locations around the world.The cloud engineer wants to change how remote access is granted to the application instances and wants to meet the following requirements:✑ Eliminate brute-force SSH login attempts.✑ Retain a log of commands run during an SSH session.✑ Retain the ability to forward ports.

Which solution meets these requirements for remote access to the application instances?

Configure the application instances to communicate with AWS Systems Manager. Grant access to the system administrators to use Session Manager to establish a session with the application instances. Terminate the bastion host.

Update the security group of the bastion host to allow traffic from only the public IP addresses of the branch offices.

Configure an AWS Client VPN endpoint and provision each system administrator with a certificate to establish a VPN connection to the application VPC. Update the security group of the application instances to allow traffic from only the Client VPN IPv4 CIDR. Terminate the bastion host.

Configure the application instances to communicate with AWS Systems Manager. Grant access to the system administrators to issue commands to the application instances by using Systems Manager Run Command. Terminate the bastion host.

Explanations:

Using AWS Systems Manager and Session Manager allows secure shell access without exposing SSH ports to the internet, thereby eliminating brute-force attacks. It also retains a log of commands run during the session, satisfying the requirement to retain command logs. Port forwarding is supported through Session Manager as well.

Updating the security group to allow traffic only from specific public IP addresses may reduce brute-force attempts but does not eliminate the risk entirely. It also does not provide a way to log commands run during the session or support port forwarding.

Configuring an AWS Client VPN provides secure access, but it requires additional setup and management of certificates for each user. While it can restrict access and eliminate brute-force attempts, it does not inherently retain logs of commands run during SSH sessions, which is a requirement.

While Systems Manager Run Command allows command execution on instances, it does not provide a session interface like SSH for real-time command execution and does not allow for port forwarding. It does not fulfill the requirement for SSH session logging.

2025-10-11

1 Comment

  1. Denise
    Author

    As far as I’m aware, the answer is:
    Configure the application instances to communicate with AWS Systems Manager. Grant access to the system administrators to use Session Manager to establish a session with the application instances. Terminate the bastion host.

Leave a Reply

Your email address will not be published. Required fields are marked *

3 × 3 =