While preparing for the AWS SAP-C02, many candidates get confused by EC2 instance access patterns when SSH keys are unavailable. In the real world, this is fundamentally a decision about operational risk vs. service availability. The trap? Overthinking the solution by introducing AMI workflows when modern AWS tooling already solves the problem. Let’s drill into a simulated scenario.
The Scenario #
GlobalFinance Corp operates a mission-critical monolithic trading platform hosted on a single Amazon EC2 instance running Amazon Linux 2. The application processes millions of dollars in transactions daily and uses an encrypted Amazon EBS volume for persistent storage.
The legal and compliance team has issued an urgent directive: all financial transaction logs stored on the EBS volume must be backed up to an Amazon S3 bucket to comply with new regulatory audit requirements. However, there are critical constraints:
- No SSH key pairs exist for the instance (previous administrator left the company)
- The application cannot experience downtime — traders are active 18 hours per day
- Data must be extracted directly from the live instance without manual intervention
- The backup must complete within the current fiscal quarter (2 weeks)
Key Requirements #
Design a solution that:
- Extracts EBS volume data to S3 without SSH access
- Maintains 100% application availability during the process
- Minimizes operational complexity and time-to-compliance
- Adheres to AWS security best practices (IAM roles, encryption)
The Options #
-
A) Attach an IAM role with S3 write permissions to the instance. Use AWS Systems Manager Session Manager to access the instance and run commands to copy data to Amazon S3.
-
B) Create an AMI of the instance with the reboot option enabled. Launch a new EC2 instance from the AMI, attach an IAM role with S3 write permissions, and run commands to copy data to S3.
-
C) Use Amazon Data Lifecycle Manager (DLM) to create EBS snapshots and copy the data to Amazon S3.
-
D) Create an AMI of the instance without rebooting. Launch a new EC2 instance from the AMI, attach an IAM role with S3 write permissions, and run commands to copy data to S3.
Correct Answer #
Option A — Attach IAM role with S3 write permissions + Use AWS Systems Manager Session Manager.
Step-by-Step Winning Logic #
This solution represents the optimal trade-off for three critical dimensions:
-
Zero Downtime: The instance remains fully operational — no reboots, no instance launches, no traffic disruption.
-
Direct Problem Resolution: Session Manager was purpose-built for exactly this scenario — secure shell access without SSH keys. Leveraging AWS-native tooling eliminates the need for workarounds.
-
Minimal Cost & Complexity:
- No additional EC2 instances launched
- No EBS storage duplication
- No AMI creation/management overhead
- Session Manager connectivity to EC2 is free (only S3 storage costs apply)
-
Security Best Practices: IAM role attachment follows the principle of least privilege, and Session Manager provides auditable access through CloudTrail.
The Strategic Pattern: When AWS provides a managed service that directly solves your constraint (no SSH access), use it. Don’t architect around the problem.
💎 Professional-Level Analysis #
This section breaks down the scenario from a professional exam perspective, focusing on constraints, trade-offs, and the decision signals used to eliminate incorrect options.
🔐 Expert Deep Dive: Why Options Fail #
This walkthrough explains how the exam expects you to reason through the scenario step by step, highlighting the constraints and trade-offs that invalidate each incorrect option.
Prefer a quick walkthrough before diving deep?
[Video coming soon] This short walkthrough video explains the core scenario, the key trade-off being tested, and why the correct option stands out, so you can follow the deeper analysis with clarity.
🔐 The Traps (Distractor Analysis) #
This section explains why each incorrect option looks reasonable at first glance, and the specific assumptions or constraints that ultimately make it fail.
The difference between the correct answer and the distractors comes down to one decision assumption most candidates overlook.
-
Why not Option B?
- Fatal Flaw: “Enable reboot option” violates the zero-downtime requirement. The AMI creation process with reboot would take the production instance offline.
- Unnecessary Complexity: Launching a duplicate instance adds $150-300/month in EC2 costs (even if temporary) and 4-6 hours of operational overhead.
- Risk Factor: Data inconsistency — if the application writes to EBS during the AMI creation window, the snapshot may be incomplete.
-
Why not Option C?
- Service Limitation: Amazon DLM creates EBS snapshots, but DLM does not automatically copy snapshot data to S3. Snapshots remain in EBS snapshot storage (different service, different pricing tier).
- Missing Step: You would still need manual intervention to extract files from snapshots (mount to instance → copy to S3), which brings you back to the access problem.
- Cost Inefficiency: Snapshot storage costs $0.05/GB-month vs. S3 Standard at $0.023/GB-month — you’re paying double for storage you’ll need to migrate anyway.
-
Why not Option D?
- Better than B, but still flawed: Creating an AMI without reboot (no-reboot flag) avoids downtime, but introduces:
- Duplicate Infrastructure Cost: $150-300 for a new EC2 instance (even if ephemeral)
- Operational Delay: AMI creation takes 15-45 minutes; instance launch adds another 5-10 minutes
- Data Drift Risk: If the production instance continues writing data during AMI creation, the copy is already stale by the time it launches
- The Fundamental Question: Why create a copy of an instance when you only need to access its shell? This is over-engineering.
- Better than B, but still flawed: Creating an AMI without reboot (no-reboot flag) avoids downtime, but introduces:
🔐 The Solution Blueprint #
This blueprint visualizes the expected solution, showing how services interact and which architectural pattern the exam is testing.
Seeing the full solution end to end often makes the trade-offs—and the failure points of simpler options—immediately clear.
graph TB
A[Production EC2 Instance
Amazon Linux 2
Encrypted EBS Volume]
B[AWS Systems Manager
Session Manager]
C[IAM Role
S3 Write Permissions]
D[Amazon S3 Bucket
Compliance Archive]
E[CloudTrail Audit Log]
A -->|Attach Role| C
A -->|Establish Session| B
B -->|Secure Shell Access
No SSH Keys Required| A
B -->|Log Access Events| E
A -->|aws s3 cp / sync| D
C -->|Authorize S3 Write| D
style A fill:#FF9900,stroke:#232F3E,stroke-width:3px,color:#fff
style B fill:#527FFF,stroke:#232F3E,stroke-width:2px,color:#fff
style D fill:#569A31,stroke:#232F3E,stroke-width:2px,color:#fff
style C fill:#DD344C,stroke:#232F3E,stroke-width:2px,color:#fff
Diagram Note: Session Manager creates a managed shell session without requiring inbound ports, SSH keys, or bastion hosts — the instance maintains full production uptime while the IAM role provides secure, temporary S3 write permissions.
🔐 The Decision Matrix #
This matrix compares all options across cost, complexity, and operational impact, making the trade-offs explicit and the correct choice logically defensible.
At the professional level, the exam expects you to justify your choice by explicitly comparing cost, complexity, and operational impact.
| Option | Downtime Risk | Est. Monthly Cost | Complexity | Time to Deploy | Pros | Cons |
|---|---|---|---|---|---|---|
| A - Session Manager | None ✅ | Low ($23/TB in S3) | Minimal | 15 minutes | • Zero infrastructure changes • Native AWS tooling • CloudTrail audit trail • No SSH key dependency |
• Requires SSM agent (pre-installed on Amazon Linux 2) • Initial IAM policy setup |
| B - AMI + Reboot | High ❌ | Medium ($23/TB S3 + $150 EC2 temp) | High | 45-60 minutes | • Complete instance clone | • Production downtime • Duplicate compute costs • Data may be inconsistent |
| C - DLM Snapshots | None ✅ | High ($50/TB snapshot + manual effort) | High | 60+ minutes | • Automated snapshot lifecycle | • Snapshots ≠ S3 objects • Requires manual extraction step • 2x storage cost vs. S3 |
| D - AMI No Reboot | Low ⚠️ | Medium ($23/TB S3 + $150 EC2 temp) | Medium | 30-45 minutes | • No planned downtime • Safe instance copy |
• Unnecessary infrastructure duplication • Data drift during AMI creation • Higher operational overhead |
FinOps Insight: For a 1TB dataset, Option A costs ~$23 (S3 Standard storage only). Option B/D add $150-200 in temporary EC2/EBS costs. Option C incurs $50/TB in snapshot storage, then requires conversion to S3 anyway. Option A delivers 85% cost savings while eliminating complexity.
🔐 Real-World Practitioner Insight #
This section connects the exam scenario to real production environments, highlighting how similar decisions are made—and often misjudged—in practice.
This is the kind of decision that frequently looks correct on paper, but creates long-term friction once deployed in production.
Exam Rule #
“When you see ’no SSH key pairs’ + ‘cannot experience downtime’ + ‘access instance filesystem’, immediately think AWS Systems Manager Session Manager. This is AWS’s native solution for keyless access.”
Real World #
In production environments, we would enhance Option A with:
-
AWS Backup Integration: Instead of manual
aws s3 synccommands, configure AWS Backup to create automated, application-consistent EBS snapshots and copy to S3 via lifecycle policies. -
EventBridge Automation: Trigger Session Manager Run Commands on a schedule (e.g., daily at 2 AM UTC) to execute backup scripts without manual intervention.
-
Data Classification: Use S3 Intelligent-Tiering for the compliance archive — after 90 days without access, automatically transition to Glacier Flexible Retrieval ($0.0036/GB-month, 84% savings).
-
Security Hardening:
- Enable Session Manager logging to S3 for compliance audits
- Use AWS KMS Customer Managed Keys (CMK) for S3 bucket encryption
- Implement S3 Object Lock in compliance mode to prevent data deletion
-
Monolith Decomposition: Use this compliance project as a catalyst to refactor the monolithic application into microservices — reducing single-instance risk and enabling blue/green deployments.
The Hidden Trade-off: While Session Manager is correct for the exam, enterprise architects would question why a mission-critical application has:
- No disaster recovery plan
- No multi-AZ deployment
- No automated backup strategy
- Lost SSH key management
This scenario is a technical debt red flag — the compliance requirement exposed systemic operational risk.