The correct answer is: Enable AWS Systems Manager Session Manager and use it to securely connect to EC2 instances without relying on SSH keys.

AWS Systems Manager Session Manager provides secure, auditable, browser-based and CLI-based access to EC2 instanceswithout the need to open inbound ports or manage SSH keys. It allows administrators to establish shell-level access through AWS Identity and Access Management (IAM) roles and policies. This solution eliminates the operational complexity of distributing, rotating, and revoking SSH keys, and satisfies the security team's requirement to remove shared key access. It also provides full session logging, further enhancing audit capabilities.

The option Set up a bastion host for shared SSH access. Restrict all other EC2 instances to accept SSH connections only from the bastion still relies on managing and sharing SSH keys, even if access is funneled through a bastion. This does not meet the security mandate and introduces single points of failure and operational complexity.

The option Use AWS Security Token Service (STS) to dynamically issue one-time-use SSH keys for connecting to EC2 instances is not natively supported and would require building custom tooling and scripts to generate, distribute, and manage these keys. This introduces more overhead and is not a standard, scalable practice for managing EC2 access.

The option Authenticate users with Amazon Cognito and invoke a Lambda function that generates a short-lived SSH key for access is unnecessarily complex and requires developing and maintaining a custom solution. While technically possible, it introduces additional infrastructure and overhead compared to the managed capabilities of Session Manager.

This question is important because it assesses your ability to apply AWS-native tools to improve security posture while minimizing operational complexity. When tasked with securing access to large fleets of instances, AWS Systems Manager Session Manager is the preferred solutionespecially when keyless access, auditability, and least privilege access control are priorities.

A helpful trick is to look for key phrases like 'least administrative overhead' and 'secure access without shared keys.' These are strong indicators that Session Manager is the ideal answer. Avoid complex custom solutions when a managed AWS service addresses the problem directly and efficiently.

Full AWS Practitioner Certification Question