Why Bastion Hosts Add Risk

To administer servers inside a private network, teams traditionally used a bastion host (also called a jump box): a hardened, internet-facing instance you SSH into first, then hop to internal machines. While common, this pattern widens your attack surface in several ways the SCS-C02 exam expects you to recognize and eliminate.

A bastion host sits in a public subnet with a port (usually 22 for SSH or 3389 for RDP) open to the internet or a corporate IP range. Administrators connect to it, then reach private instances. It is the single guarded door into the environment, which makes it both critical and a prime target.