Which solution will meet these requirements MOST securely?
Confirm that AWS Systems Manager Agent (SSM Agent) is installed on all instances. Assign an instance profile with the necessary policy to connect to Systems Manager. Use AWS IAM Identity Center to provide the external support engineers console access. Use Systems Manager Session Manager to assign the required permissions.
Confirm that AWS Systems Manager Agent (SSM Agent) is installed on all instances. Assign an instance profile with the necessary policy to connect to Systems Manager. Use Systems Manager Session Manager to provide local IAM user credentials in each AWS account to the external support engineers for console access.
Confirm that all instances have a security group that allows SSH access only from the external support engineers’ source IP address ranges. Provide local IAM user credentials in each AWS account to the external support engineers for console access. Provide each external support engineer an SSH key pair to log in to the application instances.
Create a bastion host in a public subnet. Set up the bastion host security group to allow access from only the external engineers’ IP address ranges. Ensure that all instances have a security group that allows SSH access from the bastion host. Provide each external support engineer an SSH key pair to log in to the application instances. Provide local account IAM user credentials to the engineers for console access.
Explanations:
This option uses AWS Systems Manager, which allows secure access to EC2 instances without needing to open inbound ports or manage SSH keys. By using IAM Identity Center for console access and Session Manager for instance access, it ensures that access is controlled and monitored, providing a secure and scalable solution.
While this option confirms the use of SSM Agent and Session Manager, it incorrectly suggests providing local IAM user credentials for console access. This increases security risks, as it allows more direct access to AWS accounts than necessary. The better practice is to utilize IAM Identity Center, which provides centralized management and security for access control.
This option suggests allowing SSH access directly from the external engineers’ IP addresses, which can create security vulnerabilities. Additionally, it involves providing SSH key pairs, which can be difficult to manage securely. It does not leverage AWS Systems Manager, which would provide a more secure means of access without needing direct network access.
Although this option proposes a bastion host for SSH access, it introduces additional complexity and potential security risks. Providing SSH key pairs can lead to management challenges, and the need to configure security groups increases the attack surface. Furthermore, it does not use Systems Manager, which is a more secure method for accessing instances in private subnets.
As I recall, the answer is:
Confirm that AWS Systems Manager Agent (SSM Agent) is installed on all instances. Assign an instance profile with the necessary policy to connect to Systems Manager. Use AWS IAM Identity Center to provide the external support engineers console access. Use Systems Manager Session Manager to assign the required permissions.