AWS Bastion Host: Secure Remote Access to Your Private Instances

Introduction

There’s no doubt that security is a big deal in cloud computing. Managing an EC2 fleet within an Amazon Web Services (AWS) Virtual Private Cloud (VPC) is crucial to ensuring secure remote access.

In the VPC, the Bastion Host provides a secure and controlled gateway to your instances. Let’s take a look at AWS Bastion Host, its benefits, how to set it up, and a practical example in this blog.

Understanding AWS Bastion Host

What is an AWS Bastion Host?

The idea is that our AWS users want to access an EC2 instance that is in a private subnet, but we as users, we are on our computer on the public internet. So obviously because our EC2 instance is in a private subnet we don’t have direct internet access to it. Hence, the bastion host.

An AWS Bastion Host is a specially configured EC2 instance that acts as an intermediary between your local machine (client) and the private instances residing within your VPC. It enables secure and controlled access to private instances, which are typically not directly accessible from the public internet. It has its own security group we call it as a bastion host security group, then we also have a security group for our EC2 instance in the private subnet.

Bastion Host

Since both the bastion host and the private EC2 instance are in the same VPC, they can communicate within the VPC. To access the private instance, we connect through SSH to the bastion host and then use SSH again from the bastion host to the private EC2 instance. This setup ensures secure access without compromising direct internet access.

The bastion host acts as a secure gateway, allowing users on the public internet to access private instances in a straightforward and secure manner. This method works efficiently, whether we have one or multiple EC2 instances in the private subnet.

Benefits of Using AWS Bastion Hosts

1. Enhanced Security: Bastion hosts serve as a single entry point into your VPC, reducing the exposure of private instances to potential security threats.
2. Controlled Access: By setting up proper security groups and IAM roles, you can tightly control who can access your private instances via the bastion host.
3. Simplified Network Management: Bastion hosts streamline network management, providing a central point of access for your private instances.
4. Auditing and Logging: Bastion hosts can be equipped with monitoring and logging tools to track access activities and improve auditing capabilities.

Setting Up an AWS Bastion Host

Create the Bastion Host

Step 1: Go to the AWS Management Console and navigate to the EC2 dashboard.

Step 2: Click on “Launch Instance” to create a new EC2 instance.

Step 3: Choose an Amazon Machine Image (AMI) based on your preferred operating system.

Step 4: Configure the instance details, including instance type, VPC, subnet, and security group. Ensure that the security group allows SSH access (port 22) from your IP address or a specific range of IPs.

Step 5: Add any additional storage or tags as needed.

Step 6: Review your settings and launch the instance.

Configure the Bastion Host

Step 1: Once the instance is running, connect to it via SSH using the key pair associated with the instance.

Step 2: Install any necessary software or tools required for your use case.

Step 3: To enable access to private instances, the bastion host may require specific IAM roles or permission settings.

Accessing Private Instances via Bastion Host: A Practical Example

Let’s assume you have a VPC with a private subnet hosting sensitive application servers, and you want to access these private instances securely using a bastion host.

1. VPC Setup:

• Create a new VPC with private and public subnets in different availability zones.
• Assign appropriate CIDR blocks to each subnet.

2. Bastion Host Setup:

• Create a new EC2 instance to act as the bastion host.
• Place the bastion host in the public subnet.
• Associate an Elastic IP address to ensure the IP remains static.

3. Security Group Configuration:

• For the bastion host, configure the security group to allow SSH access (port 22) only from specific IP addresses or a limited range of IPs.

4. Private Instance Security Group:

• Configure the security group of your private instances to allow incoming SSH traffic (port 22) from the bastion host’s security group.

5. SSH Connection:

• To access the private instances, connect to the bastion host using SSH:

ssh -i your-key.pem ec2-user@bastion-host-public-ip

• Once connected to the bastion host, initiate another SSH session to your private instances:

ssh -i your-key.pem ec2-user@private-instance-private-ip

Best Practices for Managing AWS Bastion Hosts

1. Update and Patch Regularly:
   Keep the bastion host’s operating system and software up-to-date with the latest security patches to mitigate potential vulnerabilities.
2. Limit Access via IAM Roles:
   Utilize AWS Identity and Access Management (IAM) roles to control user access to the bastion host. Avoid using root credentials for SSH access.
3. Rotate SSH Key Pairs Regularly:
   Implement a key rotation policy for SSH key pairs to minimise the risk of unauthorised access.
4. Implement Multi-Factor Authentication (MFA):
   Enable Multi-Factor Authentication for SSH access to add an extra layer of security.

Conclusion

The AWS Bastion Host serves as a crucial component in securing remote access to private instances within your VPC. By acting as a controlled gateway, the bastion host minimizes security risks while providing a straightforward and efficient way to manage your cloud infrastructure.

By following best practices and proper security measures, you can ensure that your AWS Bastion Host is a secure and reliable solution for accessing your private instances.

Thank You!