Question 11 - AWS SCS-C03 Real Exam Questions [March 2026 Update]

Q: 11

A company has a large fleet of Amazon Linux 2 Amazon EC2 instances that run an application processing sensitive dat a. Compliance requirements include no exposed management ports, full session logging, and authentication through AWS IAM Identity Center. DevOps engineers occasionally need access for troubleshooting. Which solution will provide remote access while meeting these requirements?

Options

Discussion

Meera P. Feb 25, 2026 2:44 am

C. I've seen this setup is the only way to avoid open ports and log sessions. Disagree?

Sean L. Feb 15, 2026 1:45 am

C . D looks tempting but even a second of open ports violates the "no exposed management ports" part.

Taylor Mar 2, 2026 8:03 am

Hard to say, C, but if compliance is really strict on never exposing ports then D can't be it.

Chloe N. Mar 2, 2026 3:36 am

Option C. D tries to trick you with "temporarily open remote access" but that's not compliant for sensitive data, pretty sure.

Taylor O. Mar 4, 2026 1:08 pm

C tbh. Only Session Manager setup (C) hits all requirements with zero management port exposure. I don't see the others fitting compliance.

Daniel Y. Feb 28, 2026 6:31 pm

Saw something just like this in a mock, C is correct. Meets every compliance item without opening management ports at all.

Sanjay Feb 24, 2026 9:00 am

Makes sense to me, C. No open ports at any time and session logging works cleanly with SSM Session Manager. Disagree?

Ishaan K. Mar 2, 2026 2:17 am

Its C. Session Manager is designed for secure, compliant remote access without opening management ports. D is a trap since you should never open ports just for troubleshooting in sensitive environments. IAM Identity Center works smoothly with SSM roles too. Seen similar Qs in practice tests.

Anita O. Feb 16, 2026 3:25 pm

Its C since even a brief opening of ports (like D) breaks the "no exposed management ports" rule, pretty sure that's what flips it for strict compliance cases.

FocusedLearner8198 Mar 2, 2026 1:52 pm

D , but C is probably safer for strict compliance since D still exposes ports briefly.

Be respectful. No spam.

Correct Answer:

Explanation

AWS Systems Manager Session Manager provides secure, auditable, and managed instance access without needing to open inbound ports, manage SSH keys, or maintain bastion hosts. It meets all the specified requirements:

1. No exposed management ports: Session Manager uses the SSM Agent, which communicates with the AWS endpoint over an outbound HTTPS (port 443) connection. This eliminates the need to open inbound ports like SSH (22).

2. Full session logging: Session Manager can be configured to log all session activity, including every command and its output, to Amazon CloudWatch Logs or an Amazon S3 bucket, satisfying the compliance need for full logging.

3. Authentication through IAM Identity Center: Access to start a session is controlled by IAM policies. These policies can be attached to an IAM role within an IAM Identity Center permission set, allowing for centralized authentication and authorization.

Why Incorrect

A. The EC2 serial console is primarily for troubleshooting boot, network, or startup issues and is not intended for full, interactive shell sessions. Its logging is less comprehensive for auditing interactive commands.

B. EC2 Instance Connect requires the instance's security group to allow inbound SSH traffic (port 22) from the EC2 Instance Connect service, which violates the "no exposed management ports" requirement. It also lacks native session logging.

D. This approach explicitly opens remote access ports, which directly violates the core requirement of having no exposed management ports. It is an anti-pattern when a more secure option like Session Manager exists.

References

1. AWS Systems Manager User Guide, "AWS Systems Manager Session Manager": "Session Manager provides secure and auditable instance management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys." It also states, "You can audit session activity in your AWS account using AWS CloudTrail. You can also log session data to Amazon S3 or Amazon CloudWatch Logs."

2. AWS Systems Manager User Guide, "Setting up Session Manager": Step 2 of the setup process details creating an instance profile with permissions for the SSM Agent. Step 4 covers granting IAM users session permissions, which is the mechanism used by IAM Identity Center permission sets.

3. AWS Security Blog, "How to use IAM Identity Center to provide access to your AWS Systems Manager tools": This blog post outlines the exact pattern described in the correct answer, stating, "You can use IAM Identity Center to provide your users with access to AWS Systems Manager tools, such as Session Manager... This allows you to provide your users with secure access to your instances without having to manage individual SSH keys."

4. Amazon EC2 User Guide for Linux Instances, "Connect to your Linux instance with EC2 Instance Connect": Under "Prerequisites," the documentation states, "The security group attached to your instance must have an inbound rule that allows SSH traffic (TCP port 22) from your IP address or from the IP address range for the AWS EC2 Instance Connect service." This confirms the need for an open port.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE