This article discusses why you do not need that bastion host and what the alternatives are. Do you have any further questions after reading this article? If so, please contact me. You can reach out to me here.
Even AWS is giving you instructions on how to setup a bastion host. But with managing a bastion host there are some underlying security and scalability concerns:
- You need to patch and manage this bastion host, furthermore you must manage access
- High availability for your bastion host requires you to have multiple hosts in multiple subnets each with it’s own elastic IP
- It is hard to audit a bastion host (who connected to it and did what)
- You need to secure the network and maintain a list of IP addresses that can access the bastion host
- If you use the bastion host as a jump host for other EC2 instances you need to setup SSH key forwarding
There are multiple alternatives you can use to access your internal network. Moreover these are more secure and give you better audibility around the external access.
4 bastion host alternatives
1. AWS EC2 Instance Connect
With EC2 instance connect you can directly connect to the EC2 instance from the web interface or CLI:
EC2 instance connect is only support on default AWS AMI’s with Amazon Linux 2 or Ubuntu. This is because it relies on a tool that comes preinstalled on these AMI’s.
Normal mode
If you connect from your own machine your IP address needs to whitelisted in the security group of the instance. Also if you connect through the console you need to whitelist the IP ranges of EC2 instance connect mentioned here.
Endpoint mode
In this case you first must make a EC2 Instance Connect endpoint and connect through that. The network traffic will then originate from this endpoint.
You can use AWS CloudTrail to log connections to the EC2 instances. However, AWS CloudTrail does not log executed commands. Moreover, you cannot control the commands with IAM policies.
This solution does not allow you to connect to other resources in your VPC ( databases). In that case you need to use one of the next two solutions if you need this type of access.
EC2 instance connect only support SSH protocol, therefore you can not use EC2 instance connect for connecting to Windows instances.
2. AWS Systems Manager – Session Manager
An even better option is to use Systems Manager to connect to the instances. Systems manager also allows you to connect to ECS containers since the launch of Amazon ECS Exec.
From a security perspective, the great thing is that you don’t have to open any inbound ports to make the sessions manager work. The machine you want to connect to opens the connection (through the Systems Manager API). Thus, it just needs to establish an outbound connection to the systems manager endpoints.
You need to make sure that the instances you want to connect to have the systems manager agent running. In the case of EC2 instances they need to have an instance profile with the role AmazonSSMManagedInstanceCore. In addition they need to have access to API of Systems Manager (either via a NAT Gateway or a VPC endpoint). Setting this up will also allow you to connect to Windows instances.
To connect to other services via port forwarding (ie. your database) you can use the port forwarding feature. To use this feature you do need a entry host. This can be EC2 instance with access to systems manager, a public IP address and no inbound security group rules.
From an auditing perspective session manager allows you to:
- Manage who can connect to the instances
- Control what commands can be run on the instances via IAM policies
3. AWS Client VPN
You can setup a standard client VPN with AWS. This option is relatively expensive because you have to pay per client and per endpoint association. A single AZ endpoint would set you back around $72 per month. Five clients using the service 160 hours a month each would set you back around $40 per month.
Make sure to not send your internet traffic over this VPN. You will be charged the bandwidth fee of AWS and this can run your bill up with a unexpected cost (I know this from experience).
To save costs you can get a OpenVPN instance from the AWS marketplace. But this requires you to manage the instance again.
4. Cloudflare Zero Trust – Split tunnels
If you use Cloudflare and have WARP agent installed in your private network (for example via managed Fargate service) you can use a split tunnel to connect to your internal network as well. You can then use Cloudflare One as a VPN to connect within your network.
This option is free but does not give you great audibility. And you must run Docker containers with the Cloudflare agent. Here is a post that covers this in detail.
Let me know if you are missing any information or if you would like a one-on-one appointment for more information tailored to your specific situation.