Hello! Please clarify why do You consider using bastion more secure over VPN? (Now AWS has even more secure option – SSM Session Manager)
You should definitely use a VPN to connect to the Bastion host (or Direct Connect). By only exposing the Bastion host to SSH or RDP connections, you minimize the attack surface because it allows you to connect to your EC2 instances in private subnets without exposing them to any external networks.
Of course there is now the option of using SSM, but you do still need to know about the use of a Bastion host as it will definitely come up in the exam! a Bastion is of course more versatile as you can use it to reach your private instances using protocols other than SSH, like HTTPS or whatever protocols your application uses.