Home › Forums › AWS › AWS Certified Security – Specialty › Need Clarification on VPC Interface endpoint related question
-
Need Clarification on VPC Interface endpoint related question
-
Category: SEC – Infrastructure Security
A company wants to perform forensic analysis on an Amazon EC2 Instance. However, the SecOps team is having trouble connecting to it using AWS Systems Manager Session Manager even though the AWS Systems Manager Agent (SSM Agent) is already installed on the EC2 instance.
The EC2 instance is in a private subnet with no attached internet gateway, and its associated security group has neither inbound nor outbound rules configured. The Network Access Control List (NACL) allows all inbound and outbound traffic as well as properly configured ephemeral ports.
Which combination of steps will allow the SecOps team to connect to the EC2 instance using AWS Systems Manager Session Manager? (Select THREE.)
Launch a VPC interface endpoint for the AWS Systems Manager in the same VPC where the EC2 instance is configured.
Edit the EC2 instance security group to add an outbound rule that allows outbound traffic to 0.0.0.0/0 on port 443.
Configure a security group that allows inbound traffic for VPC’s CIDR range on port 443. Attach the security group to the VPC interface endpoint.
Edit the EC2 instance security group to add a rule that allows outbound traffic to VPC interface endpoints’ security group on port 443.
Edit the EC2 instance security group to add a rule that allows inbound traffic to the VPC interface endpoint for the Systems Manager’s security group on port 443.
Create a new security group that allows outbound traffic to the VPC’s CIDR range on port 443. Attach the security group to the VPC interface endpoint.The above question’s option # 3 says:
Configure a security group that allows inbound traffic for VPC’s CIDR range on port 443. Attach the security group to the VPC interface endpoint.In place of the VPC interface endpoint – shouldn’t it be EC2.
Please confirm if this is a typo or if I do not understand it correctly.
Thanks!
-
Hello MartyByrde,
Good day!
Thank you for posting here.The option stating: “Configure a security group that allows inbound traffic for VPC’s CIDR range on port 443. Attach the security group to the VPC interface endpoint.” is correct as written.
When an EC2 instance resides in a private subnet with no internet gateway, the communication between the EC2 instance and AWS Systems Manager Session Manager must occur over the AWS network. To facilitate this, a VPC interface endpoint (also known as an AWS PrivateLink) is required for the Systems Manager. The VPC interface endpoint ensures that traffic to the Systems Manager service remains within the AWS network, bypassing the need for public internet access.
A security group must be attached to the VPC interface endpoint to control inbound traffic to the endpoint. The security group must allow inbound traffic from the VPC’s CIDR range on port 443 (HTTPS) to ensure secure communication between the EC2 instance and the Systems Manager service.
Thus, the correct step is configuring the security group for the VPC interface endpoint and not the EC2 instance. The interface endpoint acts as the gateway for the EC2 instance to communicate with the Systems Manager, and the security group rules ensure that the necessary traffic is allowed.
I hope this helps.
Regards,
Neil @ Tutorials Dojo
Log in to reply.