Which solution will meet these requirements?
Create an Amazon EventBridge (Amazon CloudWatch Events) rule to send notifications to the security team whenever a user logs in to an EC2 instance. Use EC2 Instance Connect to log in to the instances. Deploy Auto Scaling groups by using AWS CloudFormation. Use the cfn-init helper script to deploy appropriate VPC routes for external access. Rebuild the custom AMI so that the custom AMI includes AWS Systems Manager Agent.
Deploy a NAT gateway and a bastion host that has internet access. Create a security group that allows incoming traffic on all the EC2 instances from the bastion host. Install AWS Systems Manager Agent on all the EC2 instances. Use Auto Scaling group lifecycle hooks for monitoring and auditing access. Use Systems Manager Session Manager to log in to the instances. Send logs to a log group in Amazon CloudWatch Logs. Export data to Amazon 83 for auditing. Send notifications to the security team by using S3 event notifications.
Use EC2 Image Builder to rebuild the custom AMI. Include the most recent version of AWS Systems Manager Agent in the image. Configure the Auto Scaling group to attach the AmazonSSMManagedlnstanceCore role to all the EC2 instances. Use Systems Manager Session Manager to log in to the instances. Enable logging of session details to Amazon S3. Create an S3 notification for new file uploads to send a message to the security team through an Amazon Simple Notification Service (Amazon SNS) topic.
Use AWS Systems Manager Automation to build Systems Manager Agent into the custom AMI. Configure AWS Config to attach an SCP to the root organization account to allow the EC2 instances to connect to Systems Manager. Use Systems Manager Session Manager to log in to the instances. Enable logging of session details to Amazon S3. Create an S3 notification for new file uploads to send a message to the security team through an Amazon Simple Notification Service (Amazon SNS) topic.
Explanations:
While this option suggests using EventBridge and EC2 Instance Connect, it does not provide a robust method for centralized access control and does not detail how to log session activity effectively. The use ofcfn-initfor VPC routing is also not necessary as VPC endpoints are already in place. Additionally, rebuilding the AMI with the Systems Manager Agent is not sufficient without proper IAM role configurations for the instances.
This option introduces a NAT gateway and a bastion host, which contradicts the requirement of having no internet access for the EC2 instances due to data sensitivity. While it suggests using Systems Manager Session Manager, it also involves unnecessary complexity with a bastion host, which is not aligned with the requirements for centralized, automated access. The monitoring method through lifecycle hooks is not clearly defined and may not provide sufficient logging for security audits.
This option effectively addresses all requirements by rebuilding the custom AMI to include the Systems Manager Agent, allowing for secure access via Session Manager without internet access. It also configures the Auto Scaling group with the necessary IAM role, and enables logging of session details to S3. The S3 notification for new file uploads provides a mechanism for notifying the security team, fulfilling all stated requirements.
This option suggests using AWS Systems Manager Automation to build the agent into the AMI, but it does not clarify the centralized access management aspect effectively. The mention of attaching an SCP to the root organization account is unclear in context and does not guarantee centralized access control. While logging to S3 and notifying the security team is included, it does not offer a comprehensive solution compared to Option C.