Which solution will meet these requirements with the MOST operational efficiency?

By:
In: SOA-C02
Tagged:
With: 1 Comment
A company runs thousands of Amazon EC2 instances that are based on the Amazon Linux 2 Amazon Machine Image (AMI).A SysOps administrator must implement a solution to record commands and output from any user that needs an interactive session on one of the EC2 instances.The solution must log the data to a durable storage location.The solution also must provide automated notifications and alarms that are based on the log data.

Which solution will meet these requirements with the MOST operational efficiency?

Configure command session logging on each EC2 instance. Configure the unified Amazon CloudWatch agent to send session logs to Amazon CloudWatch Logs. Set up query filters and alerts by using Amazon Athena.

Require all users to use a central bastion host when they need command line access to an EC2 instance. Configure the unified Amazon CloudWatch agent on the bastion host to send session logs to Amazon CloudWatch Logs. Set up a metric filter and a metric alarm for relevant security findings in CloudWatch Logs.

Require all users to use AWS Systems Manager Session Manager when they need command line access to an EC2 instance. Configure Session Manager to stream session logs to Amazon CloudWatch Logs. Set up a metric filter and a metric alarm for relevant security findings in CloudWatch Logs.

Configure command session logging on each EC2 instance. Require all users to use AWS Systems Manager Run Command documents when they need command line access to an EC2 instance. Configure the unified Amazon CloudWatch agent to send session logs to Amazon CloudWatch Logs. Set up CloudWatch alarms that are based on Amazon Athena query results.

Explanations:

While this option provides command session logging and uses Amazon CloudWatch for logging, it requires configuration on each EC2 instance individually. This adds operational overhead and does not leverage AWS Systems Manager, which offers a more efficient centralized management solution.

This option relies on a central bastion host for user access, which introduces a single point of failure and operational complexity. Additionally, managing session logs from a bastion host is less efficient than using AWS Systems Manager Session Manager, which can directly log sessions from multiple instances without requiring a bastion host.

This solution utilizes AWS Systems Manager Session Manager, which allows for secure access to EC2 instances without needing a bastion host. It automatically logs session data to Amazon CloudWatch Logs, and setting up metric filters and alarms in CloudWatch allows for effective monitoring of logs. This provides a highly efficient and centralized way to manage user sessions.

Although this option uses AWS Systems Manager for command execution and logs sessions, it requires configuration on each EC2 instance for command session logging. It also introduces additional complexity by using both Run Command and the CloudWatch agent, leading to more operational overhead compared to the streamlined approach of Session Manager in option C.

2025-10-01

1 Comment

  1. Justin
    Author

    I design that the answer is:
    Require all users to use AWS Systems Manager Session Manager when they need command line access to an EC2 instance. Configure Session Manager to stream session logs to Amazon CloudWatch Logs. Set up a metric filter and a metric alarm for relevant security findings in CloudWatch Logs.

Leave a Reply

Your email address will not be published. Required fields are marked *

14 + 1 =