AWS Certified SysOps Administrator SOA-C01 – Question653

A SysOps Administrator must use a bastion host to administer a fleet of Amazon EC2 instances. All access to the bastion host is managed by the Security team.
What is the MOST secure way for the Security team to provide the SysOps Administrator access to the bastion host?

A.
Assign the same IAM role to the Administrator that is assigned to the bastion host.
B. Provide the Administrator with the SSH key that was used for the bastion host when it was originally launched.
C. Create a new IAM role with the same permissions as the Security team, and assign it to the Administrator.
D. Create a new administrative account on the bastion host, and provide those credentials to the Administrator using AWS Secrets Manager.