An IT firm has deployed web applications using Amazon EC2 instance.
Team members in the operations team do not have permission to restart Amazon EC2 instance.
The Operations Head is exploring an option to enable team members to restart EC2 instances using AWS Systems Manager runbooks & seeking your support to create appropriate permissions.
While assigning permissions, there should not be any deviation in the least privilege access guidelines established by the Security Team. Which permission needs to be assigned to enable members to restart the EC2 instance?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer: A.
Runbooks run in the context of the user who initiated the runbooks.
In the above case, team members will need permission to restart an Amazon EC2 instance which will be used by runbooks.
Another option is to use service roles.
With service roles, runbooks are run against the AWS resource & users who initiated the runbooks do not require permission to restart the Amazon EC2 instance.
Option B is incorrect as using a service role is a preferred option instead of using an administrator account to initiate runbooks.
Options C & D are incorrect as this will be against the least privilege permission guidelines.
For more information on running runbooks with service roles, refer to the following URL,
https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-walk-security-delegated.htmlThe correct answer to the question is C: "Create a runbook to restart an Amazon EC2 instance allowing team members ‘AmazonSSMFullAccess' permissions to restart a specific Amazon EC2 instance."
Explanation:
AWS Systems Manager allows IT teams to manage and automate operational tasks across AWS resources from a central location. AWS Systems Manager Runbooks is a feature that enables users to define a set of tasks, known as actions, that can be executed in sequence across AWS resources, including EC2 instances.
To enable team members to restart EC2 instances using AWS Systems Manager runbooks, the appropriate permissions must be assigned while adhering to the least privilege access guidelines established by the Security Team.
Option A is incorrect because embedding the IAM service role in the runbook does not provide the necessary permissions for team members to restart EC2 instances. IAM roles are used to delegate access to AWS resources, but the appropriate permissions must still be assigned to the role itself.
Option B is incorrect because running the runbook as an administrator does not provide the necessary permissions for team members to restart EC2 instances. Running the runbook as an administrator only affects the level of access granted to the user executing the runbook, not the underlying permissions required to perform the desired action.
Option C is the correct answer because it provides the necessary permissions for team members to restart a specific EC2 instance while adhering to the least privilege access guidelines established by the Security Team. Specifically, the 'AmazonSSMFullAccess' permission provides full access to AWS Systems Manager, which includes the ability to restart EC2 instances using runbooks. By limiting the permission to a specific EC2 instance, the team members are only granted the necessary access required to perform the desired action.
Option D is incorrect because providing full permissions to restart any EC2 instance violates the least privilege access guidelines established by the Security Team. Granting full permissions to team members can lead to accidental or intentional actions that can harm the environment.
In summary, Option C is the correct answer because it provides the necessary permissions for team members to restart a specific EC2 instance while adhering to the least privilege access guidelines established by the Security Team.