ISC2 Certified Cloud Security Professional (CCSP) Practice Question
Your security team is reviewing how administrators connect to a fleet of Windows and Linux virtual machines that reside in private subnets of a public cloud VPC. Today, each VM has its RDP or SSH port exposed through a network security group that permits traffic from the corporate public IP range. The team wants to further reduce the attack surface while still allowing engineers to manage the instances from the office. Which change best satisfies this objective?
Place a web proxy appliance in front of the private subnets so administrators can browse to the instances using HTTPS instead of RDP or SSH.
Create a client VPN that terminates in the VPC but leave the existing security-group rules open to 0.0.0.0/0 so engineers can connect whether the VPN is up or not.
Deploy a hardened bastion (jump) host in a small public subnet, allow SSH only from the corporate IP range to that host, and remove all direct internet-facing RDP/SSH rules from the other VMs.
Keep the current per-VM security-group rules but add TLS encryption on the RDP and SSH sessions to protect credentials in transit.
Opening management ports on every virtual machine, even if restricted to a limited source range, multiplies the number of potential targets. Replacing those per-instance rules with a single hardened bastion (jump) host placed in a small public subnet centralises exposure to one system that can be tightly monitored and patched. Administrators first establish an SSH session to the bastion from the corporate network and then pivot to the private instances over the internal network, eliminating any direct inbound RDP or SSH from the internet. Client or site-to-site VPNs help protect traffic in transit but still leave multiple hosts reachable if their security groups allow it. A web proxy or NAT gateway does not provide interactive console access. Therefore deploying a dedicated bastion host and removing internet-facing management ports from all other VMs provides the strongest reduction of attack surface while maintaining necessary access.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is it better to use a bastion host instead of exposing RDP or SSH directly on each VM?
Open an interactive chat with Bash
What makes a bastion host 'hardened' in the context of cloud security?
Open an interactive chat with Bash
How does connecting via a bastion host improve security for virtual machines in private subnets?
Open an interactive chat with Bash
ISC2 Certified Cloud Security Professional (CCSP)
Cloud Security Operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .