Q18 — AWS SCS-C02 Ch.1

Question 18 of 100 | ← Chapter 1

A company has an application on Amazon EC2 instances that store condential customer data. The company must restrict access to customer data. A security engineer requires secure access to the instances that host the application. According to company policy, users must not open any inbound ports, maintain bastion hosts, or manage SSH keys for the EC2 instances. The security engineer wants to monitor, store, and access all session activity logs. The logs must be encrypted. Which solution will meet these requirements?

Correct Answer: D. Use AWS Systems Manager Session Manager to connect to the EC2 instances. Congure Amazon CloudWatch logging. Select the upload session logs option and allow only encrypted CloudWatch Logs log groups.

Explanation

AWS Systems Manager Session Manager 允许通过安全的 IMDSv2 协议连接 EC2 实例,无需开放入站端口或管理 SSH 密钥,符合安全访问要求。该服务支持将用户会话活动日志上传至 Amazon CloudWatch Logs,并可配置为仅使用加密的日志组存储,满足日志监控、存储及加密需求。选项 D 明确选择了 Session Manager 并配置了加密的 CloudWatch 日志上传,完整覆盖所有合规与技术要求。