You have an application running in AWS. The application has the frontend EC2 servers deployed in a public subnet. And the backend EC2 servers are hosted in a private subnet. The frontend servers can communicate with the backend servers properly. One day there is an issue in production, and you need to login to one backend EC2 instance to troubleshoot. The connection to the backend servers should be made most securely. Which of the following options is the most secure one to access the instance?

Answer options:

A.Generate a new SSH key and use the key to SSH to the backend instance.
B.SSH to one of the frontend instances and then SSH to the backend.
C.Modify the security group of the instance to allow the SSH inbound traffic from your IP address. Revert the change after you do not need the access.
D.Configure a dedicated bastion host and SSH to the bastion host. Then SSH to the backend instance from the bastion.

Correct Answer – D
Bastion host is the most suitable one in this scenario. It is a dedicated server for users to securely SSH to the backend servers in the private subnet.
Option A is incorrect: Since the backend instance is in the private subnet, users cannot directly SSH to it.
Option B is incorrect: Because normally, front-end servers should not have SSH access to the backend. In this scenario, we should use a dedicated jump host rather than the frontend instances.
Option C is incorrect: Same as option A. The backend instance does not have a public IP, and you cannot directly SSH to it from your server.
Option D is CORRECT: Through the bastion host, the SSH connection can be safely established and monitored.