ExpertAWS SAP-C02 · Question 75 · Domain 1.2: Security Controls
An architect is designing a secure, multi-account environment. They need to ensure that Amazon EC2 instances in private subnets can securely access AWS Systems Manager (SSM) without traversing the public internet. They also need to ensure that SSM access is restricted ONLY to resources within their specific AWS Organization. Which TWO configurations are required? (Select TWO)
An architect is designing a secure, multi-account environment. They need to ensure that Amazon EC2 instances in private subnets can securely access AWS Systems Manager (SSM) without traversing the public internet. They also need to ensure that SSM access is restricted ONLY to resources within their specific AWS Organization. Which TWO configurations are required? (Select TWO)
Answer options:
Create Interface VPC Endpoints (AWS PrivateLink) for Systems Manager in the private subnets.
Create a Gateway VPC Endpoint for Systems Manager.
Attach a VPC Endpoint Policy to the Interface Endpoints that uses the aws:PrincipalOrgID condition key.
Deploy a NAT Gateway and configure security groups to only allow traffic to SSM IP addresses.
Use AWS Resource Access Manager (RAM) to share the SSM service with the Organization.
Configure an SCP to deny the ssm:SendCommand action.
How to approach this question
Full Answer
Common mistakes
Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 1
75 questions · hints · full answers · grading