A company hosts a financial reporting platform on EC2. Administrators must connect without opening SSH or RDP ports to the internet. What should the architect use?
Session Manager provides audited shell access without inbound SSH/RDP exposure.
Why this answer
AWS Systems Manager Session Manager allows secure shell access to EC2 instances without opening inbound ports (SSH 22 or RDP 3389) to the internet. It uses the AWS Systems Manager agent on the instance, combined with an IAM instance role that grants permissions to communicate with the Systems Manager API, establishing a bidirectional tunnel over HTTPS (port 443). This satisfies the requirement of no public-facing SSH or RDP ports while enabling administrative connectivity.
Exam trap
The trap here is that candidates often default to a bastion host (Option B) as the traditional solution, but the question explicitly prohibits opening SSH or RDP ports to the internet, and a bastion host still requires those ports open (even if restricted to a CIDR), which fails the requirement; Session Manager avoids any inbound port exposure entirely.
How to eliminate wrong answers
Option A is wrong because assigning a public Elastic IP address to each instance would expose them directly to the internet, requiring open SSH or RDP ports to connect, which violates the requirement. Option B is wrong because a bastion host with SSH open to 0.0.0.0/0 exposes the bastion itself to the entire internet, creating a single point of attack and still requiring open SSH ports, which does not meet the 'without opening SSH or RDP ports to the internet' constraint. Option D is wrong because an internet gateway attached to a private subnet does not provide administrative connectivity; it enables outbound internet access for instances in public subnets, not inbound management access without open ports.