Your company is planning to use several bastion hosts for administering the Amazon EC2 Linux servers in AWS.
Which of the following statements is correct for the bastion hosts from a security perspective?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - C.
A bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks.
The computer generally hosts a single application, for example, a proxy server, and all other services are removed or limited to reduce the threat to the computer.
In AWS, A bastion host is kept on a public subnet.
Users log on to the bastion host via SSH and then use that session to manage other hosts in the private subnets.
Options A is incorrect because the bastion host needs to sit on the public subnet.
Option B is incorrect because when users SSH to the bastion hosts, there is no need to use NAT Gateways.
Option C is CORRECT because EC2 instances should only allow the SSH access from the bastion hosts.
This ensures that users cannot bypass the bastion hosts to access EC2 instances.
Option D is incorrect because the ingress rule should be locked down to the IP range of end users instead of the VPC CIDR.
For more information on bastion hosts, just browse the below URL:
https://docs.aws.amazon.com/quickstart/latest/linux-bastion/architecture.htmlB. A bastion host is deployed into a public subnet as it needs internet access. Users firstly SSH to the bastion host through a NAT Gateway and then connect to the EC2 servers.
Explanation: A bastion host is a server that is located in a public subnet of a VPC, and it is used to securely administer and access instances in private subnets. When you use bastion hosts to administer your instances, you can limit access to your instances by configuring your security group rules to allow inbound SSH traffic only from the IP address of the bastion host.
The correct statement from a security perspective is B. A bastion host is deployed into a public subnet as it needs internet access. Users firstly SSH to the bastion host through a NAT Gateway and then connect to the EC2 servers.
The bastion host must be deployed in a public subnet to allow it to have internet access, which is required for managing EC2 instances. Users first connect to the bastion host via SSH, and then they can use that connection to connect to the EC2 instances. To provide secure access to the bastion host, you can use a NAT Gateway to allow traffic from the internet to the bastion host without exposing the bastion host's IP address directly to the internet.
EC2 instances in the private subnets should allow inbound access from the security group of the bastion hosts. This is correct because the security group of the bastion host should be configured to allow inbound SSH traffic from the IP address ranges of the users who need to access the instances. To connect to the EC2 instances, the security group rules for the instances must allow inbound SSH traffic from the security group associated with the bastion host.
Access to the bastion hosts should be locked down to the VPC CIDR range. This statement is not correct because it is too restrictive. If you lock down access to the bastion host to only the VPC CIDR range, you will not be able to manage the bastion host from outside the VPC. You should instead configure the security group rules to allow inbound traffic from the IP addresses of the users who need to access the bastion host.