AWS Bastion Host Certification

Bastion Host Overview
Bastion is a Fortification structure that protects the things behind it.
A Bastion hosts (also known as Jump servers) are used in AWS to secure access instances within the private subnets.
Bastion host would be launched in the Public subnets to act as a primary Internet access point and proxy to other instances.
Key points
Bastion host is located in the Public subnet. It acts as a proxy between you and your instances and acts as a gateway.
Bastion host is a security feature that helps to reduce attacks on your infrastructure. You only need to focus on hardening one layer.
Bastion host allows you secure login to instances in Private subnet without the need to store private keys on Bastion host (using RDP gateways or ssh agent forwarding).
Bastion host security can also be tightened to allow SSH/RDP access via trusted IPs or corporate ranges
You should not use Bastion host to your AWS infrastructure for any other purpose. This could expose security holes.
All instances in the private subnet must be secured to allow SSH/RDP connections from the Bastion host.
For HA, deploy a Bastion host in each Availability Zone. If the Bastion instance or AZ hosting the Bastion server goes out, your ability to connect to your private instances will be lost AWS Certification Exam Practice Questions
Questions are collected via the Internet. The answers are marked according to my knowledge and understanding (which may differ from yours).
AWS services are constantly updated and the answers and questions may be out of date soon. So make sure to research accordingly.
AWS exam questions cannot be updated to keep up with AWS updates. This means that even if the underlying feature has been changed, the question may not be updated.
We are open to further feedback, discussion, and correction. A customer has a multi-tiered web application farm that they run in a virtual private Cloud (VPC). This VPC is not connected to their corporate network. They connect to the VPC via the Internet to manage all their Amazon EC2 instances that are running in both public and private subnets. They have only authorized the bastion-security-group with Microsoft Remote Desktop Protocol (RDP) access to the application instance security groups, but the company wants to further limit administrative access to all of the instances in the VPC. Which of these Bastion deployment scenarios will satisfy this requirement? Deploy a Windows Bastion host to the corporate network that has RDP Access to all instances within the VPC.
Install a Windows Bastion host with an ElasticIP address in the public network and allow SSH access from anywhere.
Deploy a Windows Bastion host using an Elastic IP address in a private subnet. RDP access to the bastion can be restricted to only the corporate public IP addresses.
You are creating a Bastion host. This component must be available at all times without human intervention. Which one of the following approaches would work best for you? Run the bastion on 2 instances, 1 in each AZ
Run the bastion on an Active Instance in one AZ. Have an AMI ready to boot in case of failure
Configure the bastion instance within an Auto Scaling Group. Specify the Auto Scaling Group to include multiple AZs, but have a min-size and maximum size of 1.
Configure an ELB at the bastion instance The configuration is as follows: VPC vpc-2f8t>C447IGW ig-2d8bc445NACL acl-2080c448Subnets and Route Tables:Web server’s subnet-258bc44dApplication serv