Your company owns several EC2 Windows servers in production. In order to be compliant with recent company security policies, you need to create an EC2 Windows bastion host for users to connect to the instances via the Remote Desktop Protocol (RDP). How would you ensure that users can perform remote administration for the Windows servers ONLY through the new bastion host?

Answer options:

A.Configure the security groups of the Windows server instances to only accept TCP/3389 connections from the security group of the Windows bastion host.
B.Configure the security group of the Windows bastion host to only allow RDP from the company’s IP addresses.
C.Add a NACL rule in the subnets of the Windows server instances to deny TCP/443 and TCP/22.
D.In the NACL of the bastion host server, allow the inbound and outbound traffic for TCP/3389.

Correct Answer: A
Option A is CORRECT because with this option, Windows server instances only allow the RDP traffic from the bastion host instance. Users need to login to the bastion host to connect to the Windows servers.
Option B is incorrect because this option only allows the connections to the bastion host. It does not provide the RDP connections to the Windows servers through the bastion host.
Option C is incorrect because this option only denies ports 443 and 22. It does not allow any rules for the inbound RDP connections.
Option D is incorrect because similar to option B, it only controls the RDP traffic of the bastion host and there are no controls or limitations on the Windows instances. Users can bypass the bastion host to connect to the Windows servers via RDP and there is no NACL rule to deny it.
The NACL of the bastion host server cannot block the unexpected connections. Instead, the control should be applied in the Windows instances to only allow the connections from the Windows bastion host.
Reference:
https://aws.amazon.com/blogs/security/controlling-network-access-to-ec2-instances-using-a-bastion-server/