SCS-C03 · Question #6
SCS-C03 Question #6: Real Exam Question with Answer & Explanation
The correct answer is A: Update the EC2 instance security group to add a rule that allows outbound traffic on port 443 for. AWS Systems Manager Session Manager requires secure outbound HTTPS connectivity from the EC2 instance to Systems Manager endpoints. In a VPC without internet access, AWS Certified Security - Specialty documentation recommends using interface VPC endpoints to enable private connec
Question
A company is attempting to conduct forensic analysis on an Amazon EC2 instance, but the company is unable to connect to the instance by using AWS Systems Manager Session Manager. The company has installed AWS Systems Manager Agent (SSM Agent) on the EC2 instance. The EC2 instance is in a subnet in a VPC that does not have an internet gateway attached. The company has associated a security group with the EC2 instance. The security group does not have inbound or outbound rules. The subnet's network ACL allows all inbound and outbound traffic. Which combination of actions will allow the company to conduct forensic analysis on the EC2 instance without compromising forensic data? (Select THREE.)
Options
- AUpdate the EC2 instance security group to add a rule that allows outbound traffic on port 443 for
- BUpdate the EC2 instance security group to add a rule that allows inbound traffic on port 443 to the
- CCreate an EC2 key pair. Associate the key pair with the EC2 instance.
- DCreate a VPC interface endpoint for Systems Manager in the VPC where the EC2 instance is
- EAttach a security group to the VPC interface endpoint. Allow inbound traffic on port 443 to the
- FCreate a VPC interface endpoint for the EC2 instance in the VPC where the EC2 instance is
Explanation
AWS Systems Manager Session Manager requires secure outbound HTTPS connectivity from the EC2 instance to Systems Manager endpoints. In a VPC without internet access, AWS Certified Security - Specialty documentation recommends using interface VPC endpoints to enable private connectivity without exposing the instance to the internet. Creating a VPC interface endpoint for Systems Manager allows the SSM Agent to communicate securely with the Systems Manager service. The endpoint must have an attached security group that allows inbound traffic on port 443 from the VPC CIDR range. Additionally, the EC2 instance security group must allow outbound HTTPS traffic on port 443 so the agent can initiate Option C is incorrect because creating or associating key pairs enables SSH access, which can alter forensic evidence and violates forensic best practices. Option B is unnecessary because Session Manager does not require inbound rules on the EC2 instance. Option F is invalid because EC2 does not use interface endpoints for management connectivity. This combination ensures secure, private access for forensic investigation while preserving evidence integrity and adhering to AWS incident response best practices.
Community Discussion
No community discussion yet for this question.