One (of many) lessons I learnt attending AWS Re:Invent this year, is that when you are trying to do something on AWS, more often than not “there is a service for that”, or there will be one very soon. A notable exception for me has been a managed service for securely accessing shell on EC2 instances. SSH is something (presumably) everyone needs from time to time, yet opening port 22 is like opening a can of worms in terms of security.
For this reason, we usually roll out Bastion hosts to serve as gatekeepers between the internet and our instances…
