Which strategy should a solutions architect use?

By:
On:
In: SAP-C02
Tagged:
With: 0 Comments
A startup company hosts a fleet of Amazon EC2 instances in private subnets using the latest Amazon Linux 2 AMI.The company’s engineers rely heavily on SSH access to the instances for troubleshooting.The company’s existing architecture includes the following:• A VPC with private and public subnets, and a NAT gateway.• Site-to-Site VPN for connectivity with the on-premises environment.• EC2 security groups with direct SSH access from the on-premises environment.The company needs to increase security controls around SSH access and provide auditing of commands run by the engineers.

Which strategy should a solutions architect use?

Install and configure EC2 Instance Connect on the fleet of EC2 instances. Remove all security group rules attached to EC2 instances that allow inbound TCP on port 22. Advise the engineers to remotely access the instances by using the EC2 Instance Connect CLI.

Update the EC2 security groups to only allow inbound TCP on port 22 to the IP addresses of the engineer’s devices. Install the Amazon CloudWatch agent on all EC2 instances and send operating system audit logs to CloudWatch Logs.

Update the EC2 security groups to only allow inbound TCP on port 22 to the IP addresses of the engineer’s devices. Enable AWS Config for EC2 security group resource changes. Enable AWS Firewall Manager and apply a security group policy that automatically remediates changes to rules.

Create an IAM role with the AmazonSSMManagedInstanceCore managed policy attached. Attach the IAM role to all the EC2 instances. Remove all security group rules attached to the EC2 instances that allow inbound TCP on port 22. Have the engineers install the AWS Systems Manager Session Manager plugin for their devices and remotely access the instances by using the start-session API call from Systems Manager.

Explanations:

While EC2 Instance Connect can provide a secure method for SSH access, simply removing all security group rules for port 22 would prevent engineers from accessing instances entirely. It does not adequately address the need for auditing SSH commands.

Restricting SSH access to the engineers’ IP addresses improves security, but it does not provide command auditing. The CloudWatch agent does not inherently log SSH command usage, thus failing to meet the requirement for auditing.

Although restricting access to specific IP addresses is a positive step, enabling AWS Config and Firewall Manager does not fulfill the auditing requirement for commands run by engineers. These services mainly focus on monitoring and compliance rather than command-level auditing.

This option enhances security by removing inbound SSH access and using the Systems Manager Session Manager for access. The use of an IAM role with the AmazonSSMManagedInstanceCore policy allows for secure access while enabling logging and auditing of commands through Systems Manager, meeting both security and auditing requirements.

Leave a Reply

Your email address will not be published. Required fields are marked *

4 × 4 =