Which of the following steps would satisfy this requirement?

A Solutions Architect needs to set up a bastion host in the cheapest, most secure way. The Architect should be the only person that can access it via SSH .

Which of the following steps would satisfy this requirement?
A . Set up a small EC2 instance and a security group that only allows access on port 22 via your IP address
B . Set up a small EC2 instance and a security group that only allows access on port 22
C . Set up a large EC2 instance and a security group that only allows access on port 22 via your IP address
D . Set up a large EC2 instance and a security group that only allows access on port 22

View Answer

Answer: A

Explanation:

A bastion host is a server whose purpose is to provide access to a private network from an external network, such as the Internet. Because of its exposure to potential attack, a bastion host must minimize the chances of penetration.

To create a bastion host, you can create a new EC2 instance which should only have a security group from a particular IP address for maximum security. Since the cost is also considered in the question, you

should choose a small instance for your host. By default, t2.micro instance is used by AWS but you can change these settings during deployment.

Setting up a large EC2 instance and a security group which only allows access on port 22 via your IP address is incorrect because you don’t need to provision a large EC2 instance to run a single bastion host. At the same time, you are looking for the cheapest solution possible.

The options that say: Set up a large EC2 instance and a security group which only allows access on port

22 and Set up a small EC2 instance and a security group which only allows access on port 22 are both

incorrect because you did not set your specific IP address to the security group rules, which possibly

means that you publicly allow traffic from all sources in your security group. This is wrong as you should

only be the one to have access to the bastion host.

References:

https://docs.aws.amazon.com/quickstart/latest/linux-bastion/architecture.html

https://aws.amazon.com/blogs/security/how-to-record-ssh-sessions-established-through-a-bastion-host/

Check out this Amazon EC2 Cheat Sheet:

https://tutorialsdojo.com/amazon-elastic-compute-cloud-amazon-ec2/