A team wants to remove a bastion host used for administrative access to EC2 instances in private subnets. The instances should be reachable only for occasional troubleshooting by engineers who authenticate with AWS SSO. What is the best secure alternative within AWS, assuming the instances already have an instance profile attached?

Keep the bastion host but move it into a private subnet; engineers can connect by using a corporate VPN into the VPC.

A bastion host remains a high-value target and still requires controlled network access. Even if the bastion is private, inbound connectivity and SSH exposure remain. Session Manager provides a more direct elimination of the bastion as well as auditability.

Attach a public IP to each private instance so engineers can SSH directly and use security groups to restrict access.

Public IPs for instances in private subnets defeat the private-subnet isolation and increase attack surface. While security groups could limit access, it’s still direct internet exposure rather than brokered, permissioned management via AWS SSM.

Create a security group rule that allows engineers’ source IP addresses to reach instances over RDP on port 3389.

Allowing RDP with IP-based controls still requires a management network path and does not remove exposure. It also doesn’t align with using AWS SSO-based authentication for secure access auditing and operational workflows.

What does this SAA-C03 question test?

CIDR notation defines the prefix length.

What is the correct answer to this question?

The correct answer is: Use AWS Systems Manager Session Manager, enabling the required SSM permissions in the instance profile and restricting access to engineers via IAM. — The most secure bastion-free approach is AWS Systems Manager Session Manager. It allows engineers to start interactive shell sessions without inbound SSH from the internet, because the session is brokered through the SSM service. Since you already have an instance profile, the primary remaining requirements are that the profile permits the needed SSM actions (for example, starting sessions) and that engineers are allowed to create sessions through IAM (often integrated with AWS SSO). This design reduces the attack surface and improves centralized auditing in CloudTrail/CloudWatch. Why others are wrong: B keeps the bastion, so it doesn’t remove the operational and security risk the team is trying to eliminate. C reintroduces internet reachability by assigning public IPs. D focuses on opening RDP via security groups, which still exposes management ports and does not leverage SSO-based session brokering or avoid inbound connectivity entirely.

What should I do if I get this SAA-C03 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.