An architect is reviewing a legacy application running on EC2 instances. The instances have public IP addresses and are accessed directly via SSH by administrators. The architect must improve security by removing public IPs and eliminating inbound open ports, while still allowing administrators to access the instances securely. Which TWO actions should be taken? (Select TWO)

Answer options:

Deploy a Bastion Host in a public subnet.

Move the EC2 instances to private subnets.

Configure AWS Client VPN to access the instances.

Use AWS Systems Manager Session Manager to access the instances.

Use EC2 Instance Connect.

Attach an Elastic IP to each instance.

How to approach this question

Identify how to make instances private and how to access them without SSH.

Full Answer

Moving instances to private subnets removes public IPs. AWS Systems Manager Session Manager allows secure access to private instances without opening inbound ports, as the SSM agent makes an outbound connection to AWS.

Common mistakes

Choosing Bastion Hosts, which is a legacy pattern.

Question 50 All questions Question 52

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 6

75 questions · hints · full answers · grading

More questions from this exam

Q01A global enterprise requires highly available hybrid connectivity between its on-premises data ce...Hard Q02An organization has 50 VPCs across two AWS Regions connected via Transit Gateways (TGW). The TGWs...Hard Q03A company uses AWS Organizations. The network team wants to share a central Transit Gateway (TGW)...Medium Q04An enterprise has on-premises data centers in the US and Europe. They want to use the AWS global ...Hard Q05A company requires that all API calls to Amazon S3 from their VPC must not traverse the public in...Medium

View all 75 questions →