A company recently launched a variety of new workloads on Amazon EC2 instances in its AWS account. The company needs to create a strategy to access and administer the instances remotely and securely. The company needs to implement a repeatable process that works with native AWS services and follows the AWS Well-Architected Framework.
Which solution will meet these requirements with the LEAST operational overhead?
A. Use the EC2 serial console to directly access the terminal interface of each instance for administration.
B. Attach the appropriate IAM role to each existing instance and new instance. Use AWS Systems Manager Session Manager to establish a remote SSH session.
C. Create an administrative SSH key pair. Load the public key into each EC2 instance. Deploy a bastion host in a public subnet to provide a tunnel for administration of each instance.
D. Establish an AWS Site-to-Site VPN connection. Instruct administrators to use their local on-premises machines to connect directly to the instances by using SSH keys across the VPN tunnel.
B. Attach the appropriate IAM role to each existing instance and new instance. Use AWS Systems Manager Session Manager to establish a remote SSH session.
Option B provides a secure and low-operational-overhead solution that aligns with the AWS Well-Architected Framework:
-
IAM Roles: By attaching the appropriate IAM roles to the instances, you can control access to AWS services and resources. This ensures that only authorized users or systems can interact with the instances.
-
AWS Systems Manager Session Manager: This service allows you to establish secure, controlled sessions with instances. It doesn't require opening inbound ports in security groups or network access control lists, which improves security.
-
Least Operational Overhead: Using Systems Manager Session Manager means you don't have to manage additional infrastructure like bastion hosts or VPN connections. It's a managed service provided by AWS, reducing operational overhead.
-
Secure: The use of IAM roles and Systems Manager for remote access is in line with security best practices, and it provides a controlled and secure method for administrators to access the instances.
Option A (using the EC2 serial console) might be useful in certain scenarios, but it's not suitable for remote administration on a regular basis due to limitations in functionality.
Option C (using a bastion host) adds additional infrastructure that needs to be managed and secured, which increases operational overhead.
Option D (AWS Site-to-Site VPN) is a valid option for connecting on-premises resources to AWS, but it introduces more complexity and overhead than necessary for this scenario, making it less suitable for the requirement of least operational overhead.