AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company recently launched Linux-based application instances on Amazon EC2 in a private subnet and launched a Linux-based bastion host on an Amazon EC2 instance in a public subnet of a VPC. A solutions architect needs to connect from the on-premises network, through the company's internet connection, to the bastion host, and to the application servers. The solutions architect must make sure that the security groups of all the EC2 instances will allow that access.

Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Replace the current security group of the bastion host with one that only allows inbound access from the application instances.

Replace the current security group of the bastion host with one that only allows inbound access from the internal IP range for the company.

Replace the current security group of the bastion host with one that only allows inbound access from the external IP range for the company.

Replace the current security group of the application instances with one that allows inbound SSH access from only the private IP address of the bastion host.

Replace the current security group of the application instances with one that allows inbound SSH access from only the public IP address of the bastion host.

Explanation:

Explanation

Correct Answers: C and D

Why C is correct:

The bastion host in the public subnet needs to allow inbound SSH access from the company's on-premises network. Since the connection comes from the on-premises network through the company's internet connection, the bastion host should only allow inbound access from the company's external IP range (the public IP addresses that the company uses to connect to the internet). This ensures that only authorized connections from the company's network can access the bastion host.

Why D is correct:

The application instances in the private subnet should only allow SSH access from the bastion host. Since the bastion host is in the same VPC, the security group should reference the private IP address of the bastion host (not the public IP address). This follows AWS security best practices where internal resources should reference private IP addresses within the VPC.

Why other options are incorrect:

A: Incorrect - The bastion host needs to allow inbound access from the on-premises network, not from the application instances.
B: Incorrect - The internal IP range for the company refers to on-premises private IP addresses, but the bastion host needs to allow access from the company's external/public IP addresses since the connection comes through the internet.
E: Incorrect - Application instances in a private subnet should reference the private IP address of the bastion host, not the public IP address. The public IP address is not reachable from the private subnet.

Security Architecture Principles:

Bastion Host Security: Should be tightly controlled to allow only specific source IP ranges (company's external IPs)
Private Subnet Security: Application instances should only allow SSH from the bastion host's private IP
Layered Security: This creates a secure jump host architecture where the bastion host acts as a controlled entry point

Powered ByGPT-5.2

Comments

Loading comments...