Question #1742
A company uses Amazon EC2 instances that assume an IAM role with specific policies. They need to use AWS Systems Manager to collect inventory data from the EC2 instances without disrupting their current operations. Which solution will meet these requirements?
Create a new IAM role. Attach the AmazonSSMManagedInstanceCore policy to the new role. Associate both the new role and the existing IAM role with the EC2 instances.
Create an IAM user. Attach the AmazonSSMManagedInstanceCore policy to the user. Configure Systems Manager to use the IAM user credentials to access the EC2 instances.
Enable Default Host Management Configuration in Systems Manager to manage the EC2 instances.
Remove the existing policies from the current IAM role. Attach the AmazonSSMManagedInstanceCore policy to the existing IAM role.
Explanation
The correct answer is C. AWS Systems Manager (SSM) requires EC2 instances to have the AmazonSSMManagedInstanceCore policy to collect inventory data. However, modifying the existing IAM role (as in Option D) could disrupt current operations. Option A is invalid because EC2 instances cannot have multiple IAM roles. Option B incorrectly uses IAM user credentials, which are not suitable for EC2 instances (they use IAM roles). Option C leverages the Default Host Management Configuration, which automatically uses the AWS service-linked role AWSServiceRoleForAmazonSSM to grant necessary permissions. This approach avoids changes to the existing IAM role, ensuring seamless integration with SSM. Key takeaway: Use Default Host Management Configuration to enable SSM without altering existing IAM roles.
Answer
The correct answer is: C