Crucial Exams

AWS Certified Solutions Architect Professional SAP-C02 Practice Question

Your company runs payment-processing workloads on Amazon EC2 instances that reside in multiple AWS accounts. Administrators currently use bastion hosts and SSH or RDP to troubleshoot the instances. A security audit mandates that you must (1) remove all inbound administrative ports (22 and 3389) from every security group, (2) allow only approved engineers to initiate interactive sessions when required, (3) capture every keystroke and terminal output, store the logs for 365 days, and encrypt them with a customer-managed AWS KMS key, (4) ensure that no one- including administrators-can delete or modify the log data, and (5) replace self-managed bastion hosts with AWS-managed capabilities to minimize operational overhead. Which solution will meet all of these requirements with the least effort?

  • Install the Amazon CloudWatch agent on each EC2 instance to push /var/log/secure and Windows Event logs to CloudWatch Logs encrypted with a customer-managed KMS key. Keep the bastion hosts and change security-group ingress to allow SSH or RDP only from AWS VPN endpoints.

  • Replace bastion hosts with AWS Systems Manager Session Manager. Attach the AmazonSSMManagedInstanceCore instance profile to every EC2 instance, remove port 22 and 3389 ingress rules, and configure Session Manager to stream session data to (1) an Amazon CloudWatch Logs group associated with a customer-managed KMS key and (2) an Amazon S3 bucket that uses SSE-KMS and a bucket policy that denies s3:DeleteObject. Grant engineers an IAM policy that allows only ssm:StartSession.

  • Continue using bastion hosts but enable AWS CloudTrail and VPC Flow Logs to capture SSH and RDP traffic. Store the logs in an Amazon S3 bucket with default encryption and an S3 Object Lock retention policy. Restrict SSH/RDP access to the bastion hosts to the corporate CIDR block.

  • Replace bastion hosts with AWS Systems Manager Run Command documents that invoke /bin/bash. Remove SSH/RDP ingress rules and enable CloudTrail data events on the S3 bucket that stores command output. Use an S3 lifecycle rule to retain command output for 365 days.

AWS Certified Solutions Architect Professional SAP-C02
Continuous Improvement for Existing Solutions
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot