AWS Certified SysOps Administrator – Associate (legacy) — Question 909

An application is running on multiple EC2 instances. As part of an initiative to improve overall infrastructure security, the EC2 instances were moved to a private subnet. However, since moving, the EC2 instances have not been able to automatically update, and a SysOps Administrator has not been able to SSH into them remotely.
Which two actions could the Administrator take to securely resolve these issues? (Choose two.)

Answer options

• A. Set up a bastion host in a public subnet, and configure security groups and route tables accordingly.
• B. Set up a bastion host in the private subnet, and configure security groups accordingly.
• C. Configure a load balancer in a public subnet, and configure the route tables accordingly.
• D. Set up a NAT gateway in a public subnet, and change the private subnet route tables accordingly.
• E. Set up a NAT gateway in a private subnet, and ensure that the route tables are configured accordingly.

Correct answer: A, D

Explanation

To allow EC2 instances in a private subnet to securely download updates from the internet, a NAT gateway must be deployed in a public subnet and configured in the private subnet's route table. To enable secure remote SSH access to these private instances, a bastion host should be placed in a public subnet to act as a secure bridge. Deploying a NAT gateway or bastion host inside a private subnet (options B and E) is incorrect because they require public IPs and direct internet routing to function as intended.