Question 30
Domain 5: Data ProtectionYour company is planning on using bastion hosts for administering the servers in IAM. Which of the following is the best description of a bastion host from a security perspective? Please select:
Correct answer: C
Explanation
A bastion host is a hardened jump server used for “secure remote access” into private resources. Allowing admins to log in with “RDP or SSH” and then use that session to reach internal subnet resources matches the standard bastion pattern for controlled administrative access.
Why each option is right or wrong
A. A Bastion host should be on a private subnet and never a public subnet due to security concerns
Bastion hosts are generally reachable from admins, so placing them only in private subnets defeats their gateway role.
B. A Bastion host sits on the outside of an internal network and is used as a gateway into the private network and is considered the critical strong point of the network
This describes network position and importance, but not the actual access function bastion hosts provide.
C. Bastion hosts allow users to log in using RDP or SSH and use that session to S5H into internal network to access private subnet resources.
A bastion host is the hardened, externally reachable jump point placed in a public subnet to mediate administrative access into private subnets; in AWS this is the standard pattern for reaching instances that have no public IP. The relevant control is the use of SSH on TCP 22 or RDP on TCP 3389 to the bastion, then a second hop from that session into the internal network, which is why the description of logging in first and pivoting to private resources matches the security design.
D. A Bastion host should maintain extremely tight security and monitoring as it is available to the public
Tight security and monitoring are true, but this is not the best defining description.