Which strategy should a solutions architect use?

By:
In: SAP-C01
Tagged:
With: 1 Comment
A startup company hosts a fleet of Amazon EC2 instances in private subnets using the latest Amazon Linux 2 AMI.The company’s engineers rely heavily on SSH access to the instances for troubleshooting.The company’s existing architecture includes the following:✑ A VPC with private and public subnets, and a NAT gateway✑ Site-to-Site VPN for connectivity with the on-premises environment✑ EC2 security groups with direct SSH access from the on-premises environmentThe company needs to increase security controls around SSH access and provide auditing of commands run by the engineers.

Which strategy should a solutions architect use?

Install and configure EC2 Instance Connect on the fleet of EC2 instances. Remove all security group rules attached to EC2 instances that allow inbound TCP on port 22. Advise the engineers to remotely access the instances by using the EC2 Instance Connect CLI.

Update the EC2 security groups to only allow inbound TCP on port 22 to the IP addresses of the engineer’s devices. Install the Amazon CloudWatch agent on all EC2 instances and send operating system audit logs to CloudWatch Logs.

Update the EC2 security groups to only allow inbound TCP on port 22 to the IP addresses of the engineer’s devices. Enable AWS Config for EC2 security group resource changes. Enable AWS Firewall Manager and apply a security group policy that automatically remediates changes to rules.

Create an IAM role with the AmazonSSMManagedInstanceCore managed policy attached. Attach the IAM role to all the EC2 instances. Remove all security group rules attached to the EC2 instances that allow inbound TCP on port 22. Have the engineers install the AWS Systems Manager Session Manager plugin for their devices and remotely access the instances by using the start-session API call from Systems Manager.

Explanations:

EC2 Instance Connect is a valid solution for accessing EC2 instances without exposing port 22 to the public, but it requires security group rules that allow inbound SSH traffic. Simply removing all inbound TCP on port 22 rules would prevent SSH access altogether, making it unsuitable as a secure method for access.

While restricting inbound TCP on port 22 to the engineers’ IP addresses increases security, it does not address the requirement for auditing commands run by the engineers. Installing the CloudWatch agent for logs is helpful but does not provide command auditing directly; instead, it captures system metrics and logs.

Updating security groups to restrict SSH access improves security, but enabling AWS Config for monitoring changes and AWS Firewall Manager for remediation does not provide direct command auditing. This option does not fully meet the requirement of auditing the commands run by engineers on the EC2 instances.

Attaching an IAM role with the AmazonSSMManagedInstanceCore policy allows secure access to instances without opening SSH ports. Engineers can access instances through the AWS Systems Manager Session Manager, which provides built-in auditing capabilities for commands executed during the session, thus meeting both security and auditing requirements.

2025-09-29

1 Comment

  1. Tyler
    Author

    I organize that the answer is:
    Create an IAM role with the AmazonSSMManagedInstanceCore managed policy attached. Attach the IAM role to all the EC2 instances. Remove all security group rules attached to the EC2 instances that allow inbound TCP on port 22. Have the engineers install the AWS Systems Manager Session Manager plugin for their devices and remotely access the instances by using the start-session API call from Systems Manager.

Leave a Reply

Your email address will not be published. Required fields are marked *

twenty − 13 =