Restoring Access to the Bastion Host in a Secure and Timely Manner
Question
For security purposes, a bastion host (EC2) is created in the production environment.
Users must first connect to the bastion host in order to SSH to other EC2 instances in production.
Your manager is worried that someone may accidentally modify the SSH key of the bastion host.
In that case, no one can SSH to the bastion host or EC2 instances in production.
Which method would you use to restore the bastion host if the issue happens quickly?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - B.
The question asks for a method to quickly restore the instance if the SSH key is changed for the bastion host and the previous key does not work anymore.
The correct method is to create frequent snapshots so that the instance can be launched with the latest snapshot.
The bastion host becomes accessible again with the original SSH key.
Option A is incorrect because this option helps to prevent the issue from happening.
However, it is not a method to recover the instance if the issue appears.
Option B is CORRECT because the CloudFormation stack can easily recreate the bastion host with an EBS snapshot.
The stack can use the original SSH key to generate the instance to restore the bastion host.
Option C is incorrect because this method does not help to restore the bastion host at all.
Option D is incorrect because although the AWS Config rule or CloudTrail can monitor the configuration changes or API activities, they cannot help recover the instance if the issue happens.
Option D is the most appropriate solution for the given scenario.
Enabling AWS Config rule to monitor if the SSH key has been changed for the bastion host would allow us to detect any unauthorized changes made to the SSH key of the bastion host. AWS Config is a service that enables us to assess, audit, and evaluate the configurations of our AWS resources, including EC2 instances. We can create a Config rule that checks if the SSH key of the bastion host has been modified. If the rule detects any changes, it can notify us through an Amazon SNS topic or trigger an AWS Lambda function to perform any necessary remediation steps.
Enabling CloudTrail to monitor activities on the instance would provide us with an audit trail of all the actions performed on the bastion host, including changes made to the SSH key. AWS CloudTrail is a service that enables us to log, continuously monitor, and retain events related to API calls across our AWS infrastructure. It helps us to ensure compliance with regulatory standards and provides us with an audit trail for security analysis, resource change tracking, and troubleshooting.
Option A of adjusting the security group of the bastion host to allow limited IP addresses is a good security practice but does not address the concern of the SSH key being modified.
Option B of configuring a CloudFormation stack to manage the bastion host and using an EBS lifecycle policy in Data Lifecycle Manager to automatically create EBS snapshots for the bastion instance is a good practice for managing the life cycle of the bastion host and ensuring that we have backups. However, it does not address the concern of the SSH key being modified.
Option C of saving the SSH private key in an S3 bucket and rotating the key every month is a good practice for managing SSH keys. However, it does not address the concern of the SSH key being modified, and if the key is accidentally modified, rotating it every month would not solve the problem.
