Developers need secure SSH access to Amazon EC2 instances running the latest Amazon Linux. Developers work remotely and from the corporate office. The EC2 instances are in a VPC private subnet and use a NAT gateway in a public subnet for internet access. The company prefers to use AWS services and minimize cost. What should a solutions architect do MOST cost-effectively?
Choose an answer
Tap an option to check your answer.
Correct answer: Attach the AmazonSSMManagedInstanceCore IAM policy to an IAM role that is associated with the EC2 instances. Instruct the developers to use AWS Systems Manager Session Manager to access the EC2 instances..
Why this is the answer
The most cost-effective and secure solution is to use AWS Systems Manager Session Manager. By attaching the AmazonSSMManagedInstanceCore IAM policy to an IAM role associated with the EC2 instances, Session Manager can establish secure SSH connections without opening inbound ports on the instances or requiring a bastion host. This eliminates the cost and management overhead of a bastion host and provides a fully managed, auditable access method. Creating a bastion host in the same private subnet is incorrect because it would not be directly reachable from outside the VPC. Creating an AWS Site-to-Site VPN is more complex and costly, requiring managing VPN infrastructure and separate solutions for remote users. A bastion host in the public subnet works, but Session Manager is more cost-effective as it's a free service for this use case and simplifies network configuration by not requiring inbound SSH ports.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed