Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Site Reliability Engineer (SRE).
For SOA-C02 candidates, the confusion often lies in understanding how AWS Systems Manager Session Manager authorizes connections to EC2 instances. In production, this is about knowing exactly how IAM roles attached to EC2 instances enable secure, agent-managed connectivity without requiring open inbound ports. Let’s drill down.
The Certification Drill (Simulated Question) #
Scenario #
A cloud operations team at FinEdge Financial recently launched an Amazon EC2 instance to support their quantitative analytics platform. They use AWS Systems Manager Session Manager to securely connect to instances for operational tasks, avoiding opening SSH ports or managing bastion hosts. After launching the instance and verifying that the latest Systems Manager Agent is installed and running, they notice the instance does not appear in the Session Manager console’s list of managed instances.
The Requirement: #
Identify what is preventing the EC2 instance from showing up as a managed target in Session Manager, so secure shell sessions can be initiated through the Systems Manager service.
The Options #
- A) The operations team lacks the correct SSH key pair required to connect.
- B) The security group attached to the EC2 instance does not permit inbound traffic on port 22 (SSH).
- C) The EC2 instance is missing an IAM role that grants Systems Manager permission to establish the session.
- D) The EC2 instance ID has not been added manually to the Session Manager configuration.
Google adsense #
leave a comment:
Correct Answer #
C
Quick Insight: The SOA-C02 Imperative #
- The instance must have an IAM role attached with the correct Systems Manager permissions (such as
AmazonSSMManagedInstanceCore) so the Systems Manager service can establish and manage sessions.- SSH keys or open port 22 are not required because Session Manager tunnels over HTTPS via the Systems Manager Agent.
- Manual entry of instance IDs into Session Manager is not necessary; registration happens automatically when the agent and IAM role are correct.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
Option C
The Winning Logic #
Systems Manager Session Manager relies on the Systems Manager Agent running on the EC2 instance to establish a control plane connection to AWS Systems Manager service endpoints securely over HTTPS. However, for the agent to register the instance as a managed target and successfully create an interactive session, the instance must have an IAM role attached that grants the necessary Systems Manager permissions. This is typically the AWS managed policy AmazonSSMManagedInstanceCore or an equivalent custom policy.
Without this IAM role, the instance cannot authenticate to Systems Manager and therefore will not show as a managed instance in the Session Manager console, even if the agent is running.
The Trap (Distractor Analysis): #
- Why not A? SSH key pairs are irrelevant here. Session Manager uses the agent over HTTPS, so SSH keys and credentials don’t come into play.
- Why not B? Security groups controlling inbound port 22 are unnecessary for Session Manager, which does not use SSH or require open ports.
- Why not D? Session Manager discovers instances automatically via the agent and IAM role. Manually adding instance IDs is not required and not supported.
The Technical Blueprint #
SysOps CLI snippet demonstrating IAM role attachment and verification #
# Attach the AmazonSSMManagedInstanceCore role to an existing EC2 instance profile
aws iam attach-role-policy \
--role-name EC2SSMRole \
--policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
# Associate the instance profile with the EC2 instance
aws ec2 associate-iam-instance-profile \
--instance-id i-0abcdef1234567890 \
--iam-instance-profile Name=EC2SSMInstanceProfile
# Verify the instance appears in Systems Manager managed instances list
aws ssm describe-instance-information --filters Key=InstanceIds,Values=i-0abcdef1234567890
The Comparative Analysis #
| Option | Operational Overhead | Automation Level | Impact |
|---|---|---|---|
| A | High (SSH key management) | Low | Fails because irrelevant for Session Manager |
| B | Medium (security group configs) | Medium | Not needed for Session Manager connections |
| C | Low (IAM role attached once) | High | Correct; enables systems manager connectivity |
| D | Low (manual config) | Low | Not applicable/not supported |
Real-World Application (Practitioner Insight) #
Exam Rule #
For the exam, always remember: “AWS Systems Manager Session Manager requires the EC2 instance to have an IAM role with Systems Manager permissions attached—no SSH keys or open ports needed.”
Real World #
In production, this principle allows secure, auditable, and seamless shell access to instances without exposing bastion hosts or managing SSH key rotation — enhancing both security and operational efficiency.
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the SOA-C02 exam.