AWS Certified Solutions Architect - Associate / Question #1927 of 1019

Question #1927

A company uses AWS Organizations to manage multiple accounts hosting applications on Amazon EC2 instances in private subnets. The company must grant temporary access to third-party auditors for compliance checks. The auditors require AWS Management Console access and command-line access to Amazon Linux instances without exposing SSH ports or distributing long-term credentials. Which solution meets these requirements MOST securely?

A

Ensure AWS Systems Manager Agent (SSM Agent) is installed on all instances. Attach an instance profile with permissions for Systems Manager. Use AWS IAM Identity Center to grant time-bound console access. Configure Systems Manager Session Manager for secure CLI access without SSH.

B

Install SSM Agent on instances and assign an instance profile for Systems Manager. Create IAM users in each account for auditor console access. Use Session Manager for CLI access but require auditors to store SSH keys for additional verification.

C

Configure security groups to allow SSH access from the auditors' IP ranges during the audit period. Generate temporary IAM user credentials for console access. Distribute SSH key pairs to auditors for direct instance access.

D

Deploy a bastion host in a public subnet with a security group restricted to auditor IP ranges. Allow SSH access from the bastion to instances. Create IAM users with console access and provide SSH keys for CLI connections via the bastion.

Explanation

Option A is correct because:
1. Systems Manager Session Manager enables CLI access to EC2 instances without SSH ports or keys, aligning with the requirement to avoid SSH exposure.
2. IAM Identity Center (formerly AWS SSO) allows time-bound console access, ensuring temporary permissions without long-term credentials.
3. SSM Agent and instance profiles ensure secure, role-based access to instances.

Other options fail because:
- B: Requires SSH keys, violating the 'no long-term credentials' rule.
- C: Exposes SSH ports and uses temporary IAM credentials improperly.
- D: Relies on a bastion host and SSH keys, which are insecure and non-compliant.

Key Points:
- Use Session Manager for SSH-less CLI access.
- IAM Identity Center enables temporary console access.
- Avoid SSH ports/keys and long-term credentials.

Answer

The correct answer is: A