Which combination of steps should the solutions architect take to meet these requirements?
(Choose two.)
Replace the current security group of the bastion host with one that only allows inbound access from the application instances.
Replace the current security group of the bastion host with one that only allows inbound access from the internal IP range for the company.
Replace the current security group of the bastion host with one that only allows inbound access from the external IP range for the company.
Replace the current security group of the application instances with one that allows inbound SSH access from only the private IP address of the bastion host.
Replace the current security group of the application instances with one that allows inbound SSH access from only the public IP address of the bastion host.
Explanations:
Allowing inbound access only from the application instances limits the purpose of the bastion host, as it should permit connections from on-premises.
Restricting access to the bastion host to only the internal IP range will prevent external access from on-premises, which is required for this scenario.
Allowing inbound access from the external IP range of the company ensures that on-premises users can access the bastion host securely.
Allowing inbound SSH access from the bastion host’s private IP to the application instances enables a secure connection from the bastion to these instances.
Using the public IP of the bastion host for SSH access to private instances is insecure and does not align with the private subnet configuration.
I plan that the answer is:
Replace the current security group of the bastion host with one that only allows inbound access from the external IP range for the company.