ISC2 Certified Cloud Security Professional (CCSP) Practice Question
Your company runs several Linux-based application servers in a public cloud VPC. The instances reside in a private subnet that has no Internet gateway. Operations engineers working from the corporate network (a fixed /29 public address block) require occasional SSH access for troubleshooting. Corporate policy prohibits exposing the application servers directly to the Internet. From a network-security standpoint, which design change BEST provides the required access while preserving least privilege and minimizing the public attack surface?
Configure an Internet-facing load balancer to forward TCP/22 to the private instances and restrict the listener to the corporate /29.
Place a small, hardened bastion host in a public subnet, allow SSH to it only from the corporate /29, and permit the private instances to accept SSH solely from the bastion's security group.
Keep the servers in the private subnet, enable host-based firewalls, and allow SSH from 0.0.0.0/0 so administrators can reach them from anywhere.
Assign public IP addresses to every application server and add a security-group rule that allows TCP/22 only from the corporate /29.
The common and recommended pattern is to deploy a hardened bastion (jump) host in a small public subnet and give it the only public IP address. The security group on the bastion permits inbound TCP/22 solely from the corporate /29. The application servers keep their private addresses; their security group allows SSH only from the bastion's security group, so no Internet host can reach them directly. Opening port 22 on every server (even if restricted by IP) or through a load balancer markedly increases the number of publicly reachable endpoints. Allowing 0.0.0.0/0 or relying only on host firewalls conflicts with the stated policy and expands exposure. While out-of-band tools like SSM or similar services can remove the need for SSH, that option was not listed; a VPN alone without a jump host would still require routing changes and additional management complexity.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a bastion host, and why is it important in cloud environments?
Open an interactive chat with Bash
Why is allowing SSH from 0.0.0.0/0 considered insecure?
Open an interactive chat with Bash
What are the advantages of using security groups for SSH traffic control?
Open an interactive chat with Bash
What is a bastion host, and why is it needed in this setup?
Open an interactive chat with Bash
Why is assigning public IPs to application servers not a secure choice?
Open an interactive chat with Bash
How do security groups work in AWS, and what role do they play in this design?
Open an interactive chat with Bash
ISC2 Certified Cloud Security Professional (CCSP)
Cloud Security Operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .