An engineering firm is managing operations on Amazon EC2 instance using AWS Systems Manager.
SSM agents on the EC2 instance are communicating with AWS System Manager over the interface VPC endpoint.
Operations teams accessing AWS EC2 instance using Session Manager are unable to connect to this AWS EC2 instance.
You have been assigned to troubleshoot this connectivity error. Which additional interface endpoints need to be created to resolve this issue?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer: C.
For secure communication between managed instance and Session Manager, additional interface VPC endpoint “com.amazonaws.region.ssmmessages” must be created.
This interface VPC endpoint is different from the endpoint used for AWS Systems Manager.
Options A & B are incorrect as these interface VPC endpoints are used for connectivity to AWS Systems Manager & not for AWS Session manager.
Option D is incorrect as this interface VPC endpoint needs to be created only when AWS KMS is used with AWS Session Manager.
For more information on interface VPC endpoints for AWS Session Manager, refer to the following URL.
https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-create-vpc.htmlThe issue in this scenario is that the operations team is unable to connect to the EC2 instance using Session Manager. The EC2 instance is already communicating with AWS Systems Manager over the interface VPC endpoint, so we need to identify which additional interface endpoints need to be created to allow Session Manager access.
Option A suggests creating a VPC endpoint for the com.amazonaws.region.ec2messages interface. This endpoint is used by EC2 instances to send messages to the EC2 instance metadata service. However, this endpoint is not relevant to the issue at hand as it does not affect Session Manager connectivity.
Option B suggests creating a VPC endpoint for the com.amazonaws.region.ec2 interface. This endpoint allows instances to access the EC2 APIs. While this endpoint may be required for other use cases, it is also not relevant to the issue at hand as it does not affect Session Manager connectivity.
Option C suggests creating a VPC endpoint for the com.amazonaws.region.ssmmessages interface. This interface is used by the SSM agent to communicate with the Systems Manager service. This interface is already in use by the EC2 instance, so it is possible that allowing Session Manager access to this interface could resolve the issue. Therefore, this option is a potential solution.
Option D suggests creating a VPC endpoint for the com.amazonaws.region.kms interface. This endpoint is used for accessing the Key Management Service (KMS) APIs. However, KMS is not related to the issue at hand, so this option can be ruled out.
Therefore, the correct answer is Option C - creating a VPC endpoint for the com.amazonaws.region.ssmmessages interface. This additional endpoint will allow the operations team to access the EC2 instance using Session Manager.