72. Bastions

A Bastion Host:
A bastion host is a special purpose computer on a n/w specifically designed and configured to withstand attacks. The computer generally hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer. It is hardened in this manner primarily due to its location and purpose, which is either on the outside of a firewall or in a DMZ and usually involves access from untrusted n/ws or computers.

Tips:
i. A NAT Gateway or NAT instance is used to provide internet traffic to EC2 instances in a private subnets
ii. A Bastion is used to securely administer EC2 instances (Using SSH or RDP). Bastions are called Jump Boxes in Australia
iii. We cannot use a NAT Gateway as a Bastion Host.

Question 1:
Your company runs an application hosted on AWS. The application utilizes two EC2 instances in two public subnets. Only specific users in the company access the WEB server via the Internet. The other instance is set up as a database server. As a security officer, you have begun to consider improving the security of this current architecture.
Which of the following is the most secure configuration?
Options:
A. Create a new private subnet and place a NAT instance on it
B. Move the web server to a private subnet
C. Move the DB server to a private subnet
D. Migrate both servers to the new private subnet and set up a bastion server on the public subnet
Answer: D
Explanation
Option 4 is the correct answer. The most secure configuration is to migrate both the web server and the database server to a private subnet and put the NAT gateway on the public subnet. Allows access to the WEB server via the public subnet bastion server or ELB.
If the web server requires unspecified access from the internet, this web server should be on a public subnet. However, in this case, only internal users access the web server from the internal network, so we can see that this web server is limited to internal access. Therefore, it is desirable for security to install the WEB server on a private subnet.
Option 1 is incorrect. It is necessary to create a new private subnet and relocate the server. However, the need to install a NAT instance will not achieve the requirements of this scenario.
Option 2 is incorrect. Not only should the the web server move to the private subnet, but the database server should also move to the private subnet.
Option 3 is incorrect. Not only should the DB server move to the private subnet, but the WEB server should also move to the private subnet.