Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Site Reliability Engineer (SRE).
For SOA-C02 candidates, the confusion often lies in how to securely and scalably provide remote shell access without exposing instances directly to the internet or managing bastion hosts.
In production, this is about knowing exactly which AWS native service fits best to minimize operational overhead while enforcing least privilege. Let’s drill down.
The Certification Drill (Simulated Question) #
Scenario #
CloudInnovate, a mid-sized technology company, operates multiple Amazon EC2 instances inside private subnets across their VPC. These instances run the latest Amazon Linux 2 and Windows Server AMIs provided by AWS. The on-call operations team frequently needs to perform troubleshooting and run administrative commands on these EC2 instances.
CloudInnovate already uses IAM roles assigned to these instances and wants to leverage them effectively. The Site Reliability Engineering (SRE) lead must implement a secure, scalable solution that grants the on-call team access to the instances, leveraging existing IAM roles and minimizing exposure to direct inbound traffic.
The Requirement #
What solution best meets the following criteria?
- Enables secure remote command execution to EC2 instances in private subnets.
- Uses AWS-managed capabilities without adding internet-exposed bastion hosts or Elastic IPs.
- Grants access via permissions to an IAM role assigned to the team.
The Options #
- A) Add an IAM policy to the team’s role allowing the
ssm:StartSessionaction. Instruct the team to use AWS Systems Manager Session Manager to start sessions on the instances using their assumed IAM role. - B) Assign Elastic IP addresses and a security group with the team’s public IP to each instance. Update the IAM role policy to allow
ec2:AuthorizeSecurityGroupIngressso the team can connect directly via SSH/RDP. - C) Deploy a bastion EC2 instance in a public subnet and associate it with the VPC. Add an IAM policy to allow the team
ec2:CreateVpnConnectionto the bastion host. Instruct the team to connect through the bastion to reach private instances. - D) Place an internet-facing Network Load Balancer (NLB) with two listeners: port 22 forwarding to Linux targets and port 3389 to Windows targets. Add an IAM policy allowing
ec2:CreateRouteso the team can connect via the NLB.
Google adsense #
leave a comment:
Correct Answer #
A.
Quick Insight: The SysOps Imperative #
Native AWS Systems Manager Session Manager provides the most secure and operationally efficient method to grant remote shell access without exposing instances or managing additional infrastructure. This method uses IAM permissions cleanly and integrates seamlessly with CloudTrail auditing and AWS logging services.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
Option A
The Winning Logic #
Allowing the team’s IAM role the ssm:StartSession action enables the use of AWS Systems Manager Session Manager for remote access. This is a fully managed AWS service that:
- Does not require inbound SSH or RDP ports to be open on instances or firewalls.
- Requires only that instances have the SSM Agent installed (default in current Amazon Linux and Windows AMIs) and an instance IAM role with appropriate SSM permissions.
- Provides secure, audited, and auditable access that can be controlled with IAM policies granting fine-grained permission down to per-instance level.
- Avoids managing bastion hosts, VPNs, or NAT connectivity overhead.
- Integrates well with CloudWatch and AWS CloudTrail for logging session activity.
The Trap (Distractor Analysis): #
- Why not B? Exposing Elastic IPs and allowing direct SSH/RDP inbound access increases the attack surface, complicates firewall rules, and does not leverage IAM role-based secure session management. This adds operational overhead and security risk.
- Why not C? Bastion hosts add operational complexity and cost, require patching, and represent a single point of failure. VPN connections and bastions can be cumbersome and less scalable than Session Manager.
- Why not D? An internet-facing Network Load Balancer forwarding ports 22 and 3389 exposes instances publicly and is not a recommended best practice. Also, NLB cannot negotiate SSH or RDP sessions in a secure session-managed way and adds complexity.
The Technical Blueprint #
SysOps CLI Policy Snippet Example for Option A: #
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["ssm:StartSession"],
"Resource": ["arn:aws:ec2:region:account-id:instance/*"]
}]
}
To start a session from CLI:
aws ssm start-session --target i-0123456789abcdef0
The Comparative Analysis #
| Option | Operational Overhead | Automation Level | Security Impact |
|---|---|---|---|
| A | Low | High | Least privilege; no open ports |
| B | High | Low | Exposes instances; higher risk |
| C | Medium | Medium | Adds bastion; more attack surface |
| D | High | Low | Public exposure; complex routing |
Real-World Application (Practitioner Insight) #
Exam Rule #
For the exam, always pick Systems Manager Session Manager when you see remote management of private EC2 without bastions.
Real World #
In reality, some legacy environments still run bastions or VPNs due to compliance or existing tooling, but AWS recommends moving to Session Manager to reduce operational risk and cost.
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the AWS SOA-C02 exam.