SCS-C03 · Question #18
SCS-C03 Question #18: Real Exam Question with Answer & Explanation
The correct answer is D: Create an EC2 Instance Connect endpoint in the VPC. Configure an appropriate security group to. EC2 Instance Connect endpoints provide secure, private connectivity to EC2 instances without requiring public IP addresses, inbound internet access, or VPN connectivity. According to AWS Certified Security - Specialty documentation, Instance Connect endpoints are designed specifi
Question
A company runs an internet-accessible application on several Amazon EC2 instances that run Windows Server. The company used an instance profile to configure the EC2 instances. A security team currently accesses the VPC that hosts the EC2 instances by using an AWS Site-to- Site VPN tunnel from an on-premises office. The security team issues a policy that requires all external access to the VPC to be blocked in the event of a security incident. However, during an incident, the security team must be able to access the EC2 instances to obtain forensic information on the instances. Which solution will meet these requirements?
Options
- AInstall EC2 Instance Connect on the EC2 instances. Update the IAM policy for the IAM role to
- BInstall EC2 Instance Connect on the EC2 instances. Configure the instances to permit access to
- CCreate an EC2 Instance Connect endpoint in the VPC. Configure an appropriate security group to
- DCreate an EC2 Instance Connect endpoint in the VPC. Configure an appropriate security group to
Explanation
EC2 Instance Connect endpoints provide secure, private connectivity to EC2 instances without requiring public IP addresses, inbound internet access, or VPN connectivity. According to AWS Certified Security - Specialty documentation, Instance Connect endpoints are designed specifically for incident response and secure administrative access scenarios. By deploying an EC2 Instance Connect endpoint in the VPC, the security team can block all external network access while still maintaining controlled access to EC2 instances through the AWS Management Console. The endpoint uses AWS-managed infrastructure and private connectivity, and access is authorized using IAM policies and instance profiles. Options A and B rely on direct EC2 Instance Connect installation and network paths that may still depend on external access. Option C is incorrect because tunneling is not required when using the console-based Instance Connect endpoint. This solution enables forensic access during incidents without reopening external network paths, aligning with AWS incident response best practices.
Community Discussion
No community discussion yet for this question.