Bastion Host Overview

• Bastion means a structure for Fortification to protect things behind it
• In AWS, a Bastion host (also referred to as a Jump server) can be used to securely access instances in the private subnets.
• Bastion host launched in the Public subnets would act as a primary access point from the Internet and acts as a proxy to other instances.

Key points

• Bastion host is deployed in the Public subnet and acts as a proxy or a gateway between you and your instances
• Bastion host is a security measure that helps to reduce attack on your infrastructure and you have to concentrate to hardening a single layer
• Bastion host allows you to login to instances in the Private subnet securely without having to store the private keys on the Bastion host (using ssh-agent forwarding or RDP gateways)
• Bastion host security can be further tightened to allow SSH/RDP access from specific trusted IPs or corporate IP ranges
• Bastion host for your AWS infrastructure shouldn’t be used for any other purpose, as that could open unnecessary security holes
• Security for all the Instances in the private subnet should be hardened to accept SSH/RDP connections only from the Bastion host
• Deploy a Bastion host within each Availability Zone for HA, cause if the Bastion instance or the AZ hosting the Bastion server goes down the ability to connect to your private instances is lost completely

Modern Alternatives to Bastion Hosts

EC2 Instance Connect Endpoint (EIC Endpoint)

• Launched in June 2023, EC2 Instance Connect Endpoint allows secure connectivity to instances in private subnets from the internet without requiring a bastion host
• No IGW in the VPC, no public IP on the instance, and no agent installation required
• Supports SSH and RDP connections using private IP addresses
• Access is controlled through IAM policies and security groups
• Available at no additional cost
• One EIC Endpoint per VPC; supported in all AWS Regions except Canada West (Calgary)
• Ideal for ad-hoc access to private instances without maintaining bastion infrastructure

AWS Systems Manager Session Manager

• Provides secure, auditable instance management without opening inbound ports (no port 22/3389 needed)
• No SSH keys to manage – access is controlled entirely through IAM policies
• Requires SSM Agent installed on the instance (pre-installed on Amazon Linux 2, Amazon Linux 2023, and many other AMIs)
• Provides full audit trail in AWS CloudTrail and session logging to S3/CloudWatch
• Supports port forwarding for accessing applications on private instances
• Works with instances in private subnets without internet access (via VPC endpoints)
• Recommended by AWS as a bastion host replacement for operational access

AWS Verified Access

• Provides secure, VPN-less access based on Zero Trust principles
• Originally supported only HTTP/HTTPS applications (GA April 2023)
• Non-HTTP protocol support (SSH, RDP, TCP) went GA in February 2025
• Evaluates access based on user identity and device security posture on every request
• Uses Cedar policy language for fine-grained access control
• Integrates with identity providers (IdPs) and device trust providers (Jamf, CrowdStrike, etc.)
• Achieved FedRAMP High and Moderate authorization (March 2025)
• Ideal for enterprise environments requiring identity-aware, device-trust-based access

When to Still Use a Bastion Host

• Legacy environments where SSM Agent cannot be installed
• Compliance requirements mandating a traditional network perimeter
• Environments needing specific protocol support not covered by alternatives
• Third-party access where IAM-based solutions are not feasible
• AWS certification exams still heavily test bastion host concepts

AWS Certification Exam Practice Questions

• Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
• AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
• AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
• Open to further feedback, discussion and correction.

1. A customer is running a multi-tier web application farm in a virtual private cloud (VPC) that is not connected to their corporate network. They are connecting to the VPC over the Internet to manage all of their Amazon EC2 instances running in both the public and private subnets. They have only authorized the bastion-security-group with Microsoft Remote Desktop Protocol (RDP) access to the application instance security groups, but the company wants to further limit administrative access to all of the instances in the VPC. Which of the following Bastion deployment scenarios will meet this requirement?
   1. Deploy a Windows Bastion host on the corporate network that has RDP access to all instances in the VPC.
   2. Deploy a Windows Bastion host with an Elastic IP address in the public subnet and allow SSH access to the bastion from anywhere.
   3. Deploy a Windows Bastion host with an Elastic IP address in the private subnet, and restrict RDP access to the bastion from only the corporate public IP addresses.
   4. Deploy a Windows Bastion host with an auto-assigned Public IP address in the public subnet, and allow RDP access to the bastion from only the corporate public IP addresses.
2. You are designing a system that has a Bastion host. This component needs to be highly available without human intervention. Which of the following approaches would you select?
   1. Run the bastion on two instances one in each AZ
   2. Run the bastion on an active Instance in one AZ and have an AMI ready to boot up in the event of failure
   3. Configure the bastion instance in an Auto Scaling group Specify the Auto Scaling group to include multiple AZs but have a min-size of 1 and max-size of 1
   4. Configure an ELB in front of the bastion instance
3. You’ve been brought in as solutions architect to assist an enterprise customer with their migration of an ecommerce platform to Amazon Virtual Private Cloud (VPC) The previous architect has already deployed a 3- tier VPC. The configuration is as follows: VPC vpc-2f8t>C447
   IGW ig-2d8bc445
   NACL acl-2080c448
   Subnets and Route Tables:
   Web server’s subnet-258bc44d
   Application server’s subnet-248DC44c
   Database server’s subnet-9189c6f9
   Route Tables:
   rtb-2i8bc449
   rtb-238bc44b
   Associations:
   Subnet-258bc44d: rtb-2i8bc449
   Subnet-248DC44c: rtb-238bc44b
   Subnet-9189c6f9: rtb-238bc44b
   You are now ready to begin deploying EC2 instances into the VPC. Web servers must have direct access to the internet Application and database servers cannot have direct access to the internet. Which configuration below will allow you the ability to remotely administer your application and database servers, as well as allow these servers to retrieve updates from the Internet?
   1. Create a bastion and NAT Instance in subnet-258bc44d and add a route from rtb-238bc44b to subnet-258bc44d. (Route should point to the NAT)
   2. Add a route from rtb-238bc44b to igw-2d8bc445 and add a bastion and NAT instance within Subnet-248DC44c. (Adding IGW to routertb-238bc44b would expose the Application and Database server to internet. Bastion and NAT should be in public subnet)
   3. Create a Bastion and NAT Instance in subnet-258bc44d. Add a route from rtb-238bc44b to igw-2d8bc445. And a new NACL that allows access between subnet-258bc44d and subnet-248bc44c. (Route should point to NAT and not Internet Gateway else it would be internet accessible.)
   4. Create a Bastion and NAT instance in subnet-258bc44d and add a route from rtb-238bc44b to the NAT instance. (Bastion and NAT should be in the public subnet. As Web Server has direct access to Internet, the subnet subnet-258bc44d should be public and Route rtb-2i8bc449 pointing to IGW. Route rtb-238bc44b for private subnets should point to NAT for outgoing internet access)
4. You are tasked with setting up a Linux bastion host for access to Amazon EC2 instances running in your VPC. Only clients connecting from the corporate external public IP address 72.34.51.100 should have SSH access to the host. Which option will meet the customer requirement?
   1. Security Group Inbound Rule: Protocol – TCP. Port Range – 22, Source 72.34.51.100/32
   2. Security Group Inbound Rule: Protocol – UDP, Port Range – 22, Source 72.34.51.100/32
   3. Network ACL Inbound Rule: Protocol – UDP, Port Range – 22, Source 72.34.51.100/32
   4. Network ACL Inbound Rule: Protocol – TCP, Port Range-22, Source 72.34.51.100/0
5. A company needs to provide secure access to EC2 instances in private subnets without managing SSH keys or opening inbound ports. The solution must provide an audit trail of all sessions. Which AWS service should they use?
   1. Deploy a bastion host in a public subnet with an Auto Scaling group
   2. Use AWS Systems Manager Session Manager with IAM-based access control
   3. Use EC2 Instance Connect Endpoint with a public IP on the instances
   4. Configure a VPN connection from the corporate network
6. A solutions architect needs to allow developers to connect via SSH to EC2 instances in a private subnet that has no internet gateway and no NAT gateway. The instances do not have public IP addresses. Which solution requires the LEAST operational overhead?
   1. Deploy a bastion host in a public subnet and configure security groups
   2. Set up an AWS Site-to-Site VPN connection
   3. Create an EC2 Instance Connect Endpoint in the VPC
   4. Configure AWS Direct Connect with a private virtual interface
7. An enterprise wants to implement zero trust access to their internal applications and SSH-based administration of EC2 instances. Access should be granted based on user identity and device security posture without using a VPN or bastion host. Which AWS service meets these requirements?
   1. AWS Systems Manager Session Manager
   2. EC2 Instance Connect Endpoint
   3. AWS Verified Access
   4. AWS Client VPN
8. Which of the following are valid modern alternatives to using a bastion host for accessing private EC2 instances? (Select THREE)
   1. AWS Systems Manager Session Manager
   2. Amazon Inspector
   3. EC2 Instance Connect Endpoint
   4. AWS Config
   5. AWS Verified Access with non-HTTP protocol support