Which solution will meet this requirement?

By:
In: SOA-C02
Tagged:
With: 1 Comment
A team of on-call engineers frequently needs to connect to Amazon EC2 instances in a private subnet to troubleshoot and run commands.The instances use either the latest AWS-provided Windows Amazon Machine Images (AMIs) or Amazon Linux AMIs.The team has an existing 1AM role for authorization.A SysOps administrator must provide the team with access to the instances by granting IAM permissions to this role.

Which solution will meet this requirement?

Add a statement to the 1AM role policy to allow the ssm:StartSession action on the instances. Instruct the team to use AWS Systems Manager Session Manager to connect to the instances by using the assumed IAM role.

Associate an Elastic IP address and a security group with each instance. Add the engineers’ IP addresses to the security group inbound rules. Add a statement to the IAM role policy to allow the ec2:AuthorizeSecurityGrouplngress action so that the team can connect to the instances.

Create a bastion host with an EC2 instance, and associate the bastion host with the VPC. Add a statement to the 1AM role policy to allow the ec2:CreateVpnConnection action on the bastion host. Instruct the team to use the bastion host endpoint to connect to the instances.

Create an internet-facing Network Load Balancer. Use two listeners. Forward port 22 to a target group of Linux instances. Forward port 3389 to a target group of Windows instances. Add a statement to the IAM role policy to allow the ec2:CreateRoute action so that the team can connect to the instances.

Explanations:

Adding a statement to the IAM role policy to allow thessm:StartSessionaction enables the team to connect to EC2 instances via AWS Systems Manager Session Manager. This does not require opening inbound ports or using a bastion host, and it works regardless of whether the EC2 instances are in private subnets.

Associating an Elastic IP address and modifying security groups would expose the EC2 instances directly to the internet, which goes against the goal of securely connecting to instances in a private subnet. The IAM role policy does not need theec2:AuthorizeSecurityGrouplngresspermission for this task.

Creating a bastion host introduces unnecessary complexity for accessing instances in a private subnet. It also requires additional setup, including managing VPN connections, which is not required for accessing instances via Session Manager.

Using an internet-facing Network Load Balancer for SSH and RDP access exposes the instances to the internet, which is not recommended. Additionally, the IAM permissions needed for this solution (ec2:CreateRoute) are irrelevant to the task of simply accessing EC2 instances through secure means like Session Manager.

2025-10-18

1 Comment

  1. Jeffrey
    Author

    I think the answer is:
    Add a statement to the 1AM role policy to allow the ssm:StartSession action on the instances. Instruct the team to use AWS Systems Manager Session Manager to connect to the instances by using the assumed IAM role.

Leave a Reply

Your email address will not be published. Required fields are marked *

twenty − 12 =