AWS Systems Manager Session Manager allows secure, auditable instance access without SSH keys or inbound ports. To control access based on instance tags, CloudOps best practices require two configurations:
Attach an IAM policy to users or groups granting ssm:StartSession, ssm:DescribeInstanceInformation, and ssm:DescribeSessions.
Include a Condition element in the IAM policy referencing instance tags, such as Condition: {"StringEquals": {"ssm:resourceTag/Environment": "Production"}}.
This ensures users can start sessions only with instances that have matching tags, providing fine-grained access control.
AWS CloudOps documentation under Security and Compliance states:
“Use IAM policies with resource tags in the Condition element to restrict which managed instances users can access using Session Manager.”
Options B and D incorrectly suggest attaching roles or service accounts that are not relevant to user-level access control. Option C (placement groups) pertains to networking and performance, not access management. Therefore, A and E together provide tag-based, least-privilege access as required.
References (AWS CloudOps Documents / Study Guide):
• AWS Certified CloudOps Engineer – Associate (SOA-C03) Exam Guide – Domain 4: Security and Compliance
• AWS Systems Manager User Guide – Controlling Access to Session Manager Using Tags
• AWS IAM Policy Reference – Condition Keys for AWS Systems Manager
• AWS Well-Architected Framework – Security Pillar
