Assess your understanding of AWS Bastion hosts, secure access methods, and best practices for managing remote connectivity to cloud resources. This beginner-focused quiz covers key concepts like bastion host setup, security group configurations, tunneling, and alternative secure access options in AWS environments.
What is the primary function of a bastion host in a cloud environment?
Explanation: A bastion host acts as a secure entry point, allowing controlled remote access to resources in a private network. It does not manage data backups, nor does it handle resource scaling or load balancing, which are separate infrastructure functions. The other options refer to different cloud services or features unrelated to bastion host responsibilities.
Where should a bastion host typically be placed within a virtual private cloud (VPC) network structure?
Explanation: Placing a bastion host in a public subnet allows authorized users to connect from the internet and then securely reach private resources. Deploying it in a private subnet would prevent necessary inbound access. Placing it with a database server weakens security by mixing roles, and deploying it on user laptops is incorrect since it's a managed network gateway, not an endpoint.
Which method best improves the security of SSH access to a bastion host?
Explanation: Limiting SSH access by source IP narrows the threat surface and prevents unauthorized connections. Allowing SSH from all addresses is unsafe as it exposes the host to the world. Reliance solely on password authentication is less secure than key-based methods. Disabling monitoring and logging reduces the ability to detect suspicious activities, making it less appropriate.
Why is it recommended to use a bastion host for accessing databases in private subnets?
Explanation: A bastion host acts as a security barrier, preventing direct exposure of databases to the internet, thus reducing attack risks. It does not enhance query performance or create database backups. While it can help manage access efficiently, its primary purpose isn't to reduce network costs.
What is a best practice regarding access logging on a bastion host?
Explanation: Detailed access logs help administrators monitor and investigate user activities on the bastion host. Disabling logging or recording only failed attempts weakens audit trails. Storing logs without reliable backup is risky, as logs may be lost in a system failure.
How does enabling multi-factor authentication (MFA) increase bastion host security?
Explanation: MFA forces users to provide a second form of authentication, such as a code from a device, making unauthorized access much harder. Removing credentials, speeding up connections, or handling security updates are not functions of MFA. The other options either misdescribe MFA or refer to unrelated features.
Which alternative AWS tool allows secure, browser-based access to private network resources without a bastion host?
Explanation: Session Manager enables secure browser-based shell access to instances, without requiring a bastion host or SSH exposure. Direct Connect Gateway deals with dedicated network connections, Elastic File System provides shared storage, and Route 53 is for DNS management, making them less appropriate for this use case.
What is the purpose of configuring Network ACLs along with security groups for a bastion host?
Explanation: Network ACLs offer stateless filtering of incoming and outgoing traffic at the subnet level, enhancing security when used with security groups. Increasing storage, assigning IPs, or automatic snapshots are unrelated to network ACL configuration, as those are managed differently.
Which is the recommended method for managing user access credentials when connecting to a bastion host?
Explanation: Providing unique SSH key pairs enhances accountability and security, as keys can be managed or revoked per user. Shared passwords, default credentials, and exposing private keys are major security risks and make unauthorized access much easier.
What is a potential risk if automation scripts using bastion hosts do not securely handle private keys or credentials?
Explanation: If automation scripts store credentials insecurely, attackers may obtain them and gain unauthorized access. Script failure, increased bandwidth, or unintended restarts are not direct risks associated with mishandling credentials in this context. The main danger lies in reduced credential security.