What is AWS Systems Manager, and how is Session Manager safer than SSH bastions?
AWS · Advanced level
Answer
Systems Manager provides operational capabilities like Session Manager, Run Command, Patch Manager, Parameter Store, Automation, and Inventory. Session Manager is safer than SSH bastions because it avoids inbound SSH and uses IAM/audit logging.
Technical explanation
Session Manager needs SSM Agent, IAM permissions, and network access to SSM endpoints or the internet.
Operations at scale should prefer managed access, automation, immutable infrastructure, repeatable runbooks, and auditability over manual host-by-host changes.
Troubleshooting should isolate layers: identity, network, host, application, dependency, deployment, and AWS service signals.
Patch, access, AMI, and incident workflows must be tested and measurable so they do not depend on tribal knowledge.
Hands-on example
1. Set up a sandbox EC2 fleet with SSM Agent, IAM instance role, CloudWatch Agent, hardened AMI baseline, and no unnecessary inbound access.
2. Perform the operation through automation: Session Manager, Run Command, Patch Manager, Image Builder, ASG instance refresh, or a runbook.
3. Introduce a realistic failure and use logs, metrics, status checks, and reachability tools to troubleshoot layer by layer.
4. Update the runbook and define the alarm or compliance check that would catch the issue next time.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More AWS interview questions
- What is the AWS shared responsibility model, and where is the line between AWS and the customer?
- Explain the difference between a Region, an Availability Zone, and an Edge Location.
- What is a VPC, and what are its core components (subnets, route tables, IGW, NAT)?
- Difference between a public and a private subnet, and how does each reach the internet?
- What is the difference between a Security Group and a Network ACL?
- Are Security Groups stateful or stateless? What about NACLs?
- What is an Internet Gateway versus a NAT Gateway, and when do you need each?
- How does a NAT Gateway differ from a NAT instance?