nerdexam
ExamsANS-C01Questions#202
AmazonAmazon

ANS-C01 · Question #202

ANS-C01 Question #202: Real Exam Question with Answer & Explanation

The correct answer is B: Deploy and configure AWS Systems Manager Agent (SSM Agent) on each instance. Deploy VPC. To manage EC2 instances in private subnets with role-based access control and least maintenance, deploy and configure AWS Systems Manager Agent on each instance and use VPC endpoints for Systems Manager.

Submitted by joshua94· Mar 6, 2026Network Management and Operation

Question

A company needs to manage Amazon EC2 instances through command line interfaces for Linux hosts and Windows hosts. The EC2 instances are deployed in an environment in which there is no route to the internet. The company must implement role-based access control for management of the instances. The company has a standalone on-premises environment. Which approach will meet these requirements with the LEAST maintenance overhead?

Options

  • ASet up an AWS Direct Connect connection between the on-premises environment and the VPC
  • BDeploy and configure AWS Systems Manager Agent (SSM Agent) on each instance. Deploy VPC
  • CEstablish an AWS Site-to-Site VPN connection between the on-premises environment and the
  • DDeploy an appliance to the VPC where the instances are deployed. Assign a public IP address to

Explanation

To manage EC2 instances in private subnets with role-based access control and least maintenance, deploy and configure AWS Systems Manager Agent on each instance and use VPC endpoints for Systems Manager.

Common mistakes.

  • A. AWS Direct Connect provides network connectivity but does not inherently offer instance management or role-based access control for individual instances, requiring additional tools or jump boxes with higher maintenance overhead.
  • C. An AWS Site-to-Site VPN connection provides network connectivity between on-premises and AWS, but similar to Direct Connect, it does not directly provide instance management capabilities or integrate with IAM for role-based access for instances, necessitating further setup.
  • D. Deploying an appliance with a public IP in the VPC violates the 'no route to the internet' requirement for the managed EC2 instances and introduces additional maintenance overhead for managing the appliance itself.

Concept tested. AWS Systems Manager for private instance management

Reference. https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-vpc-endpoints.html

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full ANS-C01 PracticeBrowse All ANS-C01 Questions