For security purposes, a bastion host (EC2) is created in the production environment. Users must first connect to the bastion host in order to SSH to other EC2 instances in production. Your manager is worried that someone may accidentally modify the SSH key of the bastion host. In that case, no one can SSH to the bastion host or EC2 instances in production. Which method would you use to restore the bastion host if the issue happens quickly?

Answer options:

A.Adjust the security group of the bastion host to allow limited IP addresses so that only relevant people can access the instance.
B.Configure a CloudFormation stack to manage the bastion host. Use an EBS lifecycle policy in Data Lifecycle Manager to automatically create EBS snapshots for the bastion instance.
C.Save the SSH private key in an S3 bucket and rotate the key every month to ensure that the key is not leaked.
D.Enable AWS Config rule to monitor if the SSH key has been changed for the bastion host. Enable CloudTrail to monitor activities on the instance.

Correct Answer – B
The question asks for a method to quickly restore the instance if the SSH key is changed for the bastion host and the previous key does not work anymore. The correct method is to create frequent snapshots so that the instance can be launched with the latest snapshot. The bastion host becomes accessible again with the original SSH key.
Option A is incorrect because this option helps to prevent the issue from happening. However, it is not a method to recover the instance if the issue appears.
Option B is CORRECT because the CloudFormation stack can easily recreate the bastion host with an EBS snapshot. The stack can use the original SSH key to generate the instance to restore the bastion host.
Option C is incorrect because this method does not help to restore the bastion host at all.
Option D is incorrect because although the AWS Config rule or CloudTrail can monitor the configuration changes or API activities, they cannot help recover the instance if the issue happens.