Your company is planning to use several bastion hosts for administering the Amazon EC2 Linux servers in AWS. Which of the following statements is correct for the bastion hosts from a security perspective?

Answer options:

A.A bastion host should be on a private subnet instead of a public subnet due to security concerns.
B.A bastion host is deployed into a public subnet as it needs internet access. Users firstly SSH to the bastion host through a NAT Gateway and then connect to the EC2 servers.
C.EC2 instances in the private subnets should allow inbound access from the security group of the bastion hosts.
D.Access to the bastion hosts should be locked down to the VPC CIDR range.

Answer – C
A bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application, for example, a proxy server, and all other services are removed or limited to reduce the threat to the computer.
In AWS, A bastion host is kept on a public subnet. Users log on to the bastion host via SSH and then use that session to manage other hosts in the private subnets.
Options A is incorrect because the bastion host needs to sit on the public subnet.
Option B is incorrect because when users SSH to the bastion hosts, there is no need to use NAT Gateways.
Option C is CORRECT because EC2 instances should only allow the SSH access from the bastion hosts. This ensures that users cannot bypass the bastion hosts to access EC2 instances.
Option D is incorrect because the ingress rule should be locked down to the IP range of end users instead of the VPC CIDR. 
For more information on bastion hosts, just browse the below URL:
https://docs.aws.amazon.com/quickstart/latest/linux-bastion/architecture.html