High-level Bastion Host builder following AWS security best practices. **Default Security Settings:** - Instance type = t3.nano (minimal compute for SSH access) - Machine image = Amazon Linux 2023 - Requires IMDSv2 = true (enhanced security) - Subnet type = PUBLIC (for external SSH access) **Rationale:** These defaults follow AWS Well-Architected Framework: - t3.nano is cost-effective for bastion workloads - Amazon Linux 2023 has latest security patches - IMDSv2 prevents SSRF attacks against instance metadata - Public subnet placement allows external access **Security Note:** Bastion hosts should use strict security groups and key-based authentication. Consider AWS Systems Manager Session Manager as a more secure alternative. **Escape Hatch:** Access the underlying CDK BastionHostLinux via the `BastionHost` property for advanced scenarios not covered by this builder.