Which strategy should a solutions architect implement?
Deploy a Linux bastion host on the corporate network that has access to all instances in the VPC.
Deploy AWS Systems Manager Agent on the EC2 instances. Access the EC2 instances using Session Manager restricting access to users with permission.
Deploy a Linux bastion host with an Elastic IP address in the public subnet. Allow access to the bastion host from 0.0.0.0/0.
Establish a Site-to-Site VPN connecting the corporate network to the VPC. Update the security groups to allow access from the corporate network only.
Explanations:
A Linux bastion host on the corporate network would not provide secure access to the EC2 instances in the VPC since it would require opening the corporate network to the public internet. This setup does not address the security concerns about RDP access and could expose the corporate network to risks.
Deploying AWS Systems Manager Agent on the EC2 instances and using Session Manager allows secure access without needing to open RDP ports to the internet. This solution enables secure access control and auditing by restricting access to users with specific IAM permissions. It eliminates the need for a bastion host and minimizes attack surfaces.
A Linux bastion host with an Elastic IP address in the public subnet that allows access from 0.0.0.0/0 is highly insecure. This configuration exposes the bastion host to the entire internet, making it a target for attackers, and does not mitigate the risks associated with RDP access.
While establishing a Site-to-Site VPN could provide secure access from the corporate network to the VPC, it does not address the immediate concern of securing RDP access to the EC2 instances. Additionally, it requires managing a VPN connection and may not be necessary if other secure methods, such as using AWS Systems Manager, are available.