An architect is designing a secure, multi-account environment. They need to ensure that Amazon EC2 instances in private subnets can securely access AWS Systems Manager (SSM) without traversing the public internet. They also need to ensure that SSM access is restricted ONLY to resources within their specific AWS Organization. Which TWO configurations are required? (Select TWO)

Answer options:

A.

Create Interface VPC Endpoints (AWS PrivateLink) for Systems Manager in the private subnets.

B.

Create a Gateway VPC Endpoint for Systems Manager.

C.

Attach a VPC Endpoint Policy to the Interface Endpoints that uses the aws:PrincipalOrgID condition key.

D.

Deploy a NAT Gateway and configure security groups to only allow traffic to SSM IP addresses.

E.

Use AWS Resource Access Manager (RAM) to share the SSM service with the Organization.

F.

Configure an SCP to deny the ssm:SendCommand action.

How to approach this question

Identify the private connectivity method (Interface Endpoints) and the organizational restriction method (Endpoint Policy with PrincipalOrgID).

Full Answer

Interface VPC Endpoints (powered by AWS PrivateLink) allow private subnets to access AWS services without the internet. To restrict access, you attach a VPC Endpoint Policy. Using the `aws:PrincipalOrgID` condition key ensures that only IAM principals from your AWS Organization can use the endpoint.

Common mistakes

Thinking SSM supports Gateway Endpoints.

Question 74 All questions

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 1

75 questions · hints · full answers · grading

Sign up free Take the exam

More questions from this exam

Q01An enterprise has 50 VPCs across two AWS Regions. They need to establish transitive routing betwe...Hard Q02A company uses AWS Organizations. The security team wants to ensure that no IAM user or role can ...Medium Q03An application requires a relational database with an RPO of 1 second and an RTO of less than 1 m...Hard Q04A company is setting up a new multi-account environment. They want to automate the provisioning o...Medium Q05An organization wants to allocate AWS costs to specific business units. They use AWS Organization...Hard

View all 75 questions →