A company runs applications under an AWS Organizations account and outsources operational support to external engineers. The company must grant the external engineers AWS Management Console access and operating system access to Amazon EC2 instances (Amazon Linux) in private subnets, without compromising security. Which solution meets these requirements MOST securely?
Choose an answer
Tap an option to check your answer.
Correct answer: Confirm AWS Systems Manager Agent (SSM Agent) is installed on all instances. Assign an instance profile with the necessary policy to connect to Systems Manager. Use AWS IAM Identity Center to provide the external support engineers console access. Use Systems Manager Session Manager to provide instance access..
Why this is the answer
This solution is the most secure because it leverages AWS Systems Manager Session Manager for instance access, eliminating the need for open inbound ports (like SSH 22) on security groups, SSH keys, or bastion hosts. Session Manager provides secure, auditable, and browser-based or CLI-based access to instances. AWS IAM Identity Center (successor to AWS SSO) centralizes console access management for external engineers across multiple accounts in AWS Organizations, providing a single sign-on experience and simplifying permission management. The instance profile grants the necessary permissions for the SSM Agent to communicate with the Systems Manager service.
Incorrect options:
Providing local IAM user credentials for console access is less secure and harder to manage than IAM Identity Center, especially across multiple accounts.
Allowing SSH access directly from external IP ranges or using bastion hosts requires opening inbound ports, increasing the attack surface, and managing SSH keys, which is less secure and auditable than Session Manager.