A Bastion Host in AWS is a special-purpose server that is designed to provide secure access to other instances (usually within private subnets) in a Virtual Private Cloud (VPC) that do not have direct internet access. The bastion host acts as a gateway, allowing you to securely access instances in the private subnet via SSH or RDP without exposing those instances to the public internet.
Key Features of a Bastion Host
- Secure Access Point:
- The bastion host is the only instance in the VPC that is exposed to the internet. It serves as a single point of entry, providing secure access to your private instances. Users connect to the bastion host first and then access the private instances from there.
- Public IP Address:
- The bastion host typically has a public IP address, allowing it to be accessed from the internet. However, it should be tightly secured with security groups and other access controls to prevent unauthorized access.
- Isolation of Private Instances:
- Instances in private subnets do not have public IP addresses and cannot be accessed directly from the internet. The bastion host enables access to these instances while keeping them isolated from direct exposure.
- Controlled Access:
- Access to the bastion host can be controlled through security groups, network ACLs, and IAM policies. Only specific IP addresses or ranges (e.g., your corporate IP) should be allowed to connect to the bastion host.
- Logging and Monitoring:
- All access to the bastion host should be logged and monitored. You can use tools like AWS CloudTrail, Amazon CloudWatch, and AWS Systems Manager Session Manager to track and audit access to your bastion host and private instances.
- Minimal Software Installation:
- The bastion host should be a minimal installation, running only the necessary software to facilitate secure access (e.g., SSH or RDP). This reduces the attack surface and minimizes security risks.
- High Availability:
- For high availability, you can deploy multiple bastion hosts in different Availability Zones (AZs) or use an Auto Scaling group to automatically replace failed instances.
Common Use Cases for a Bastion Host
- Secure Remote Access to Private Instances:
- Organizations use bastion hosts to provide secure access to EC2 instances in private subnets. Developers, administrators, or DevOps engineers can use the bastion host to SSH or RDP into private instances without exposing them to the internet.
- Compliance and Security:
- Bastion hosts are used to meet compliance and security requirements by ensuring that only authorized personnel can access sensitive instances. They help enforce the principle of least privilege by limiting access points.
- Network Troubleshooting:
- In cases where private instances need to be accessed for troubleshooting network issues, a bastion host provides a secure method to connect and diagnose problems without altering the network security posture.
- Database Administration:
- Database servers are often placed in private subnets for security reasons. A bastion host allows database administrators to securely connect to these servers for maintenance, backups, or other administrative tasks.
Setting Up a Bastion Host in AWS
Here’s a step-by-step guide to setting up a bastion host in AWS:
Step 1: Launch a Bastion Host in a Public Subnet
- Choose an AMI: Use a minimal, hardened Amazon Machine Image (AMI), such as an Amazon Linux 2 or Ubuntu LTS, with SSH installed for Linux instances or Windows Server for RDP.
- Instance Type: Select an instance type appropriate for the expected load, such as
t3.micro
ort3.small
for low traffic. - Public Subnet: Place the instance in a public subnet of your VPC, where it can obtain a public IP address.
- Security Group: Create or select a security group that allows inbound traffic on the SSH (port 22) or RDP (port 3389) from your IP address or a limited IP range. Restrict outbound traffic to only the necessary ports and destinations (e.g., the private subnet range).
Step 2: Configure Key Pair or IAM Credentials
- SSH Key Pair (Linux): Use an SSH key pair to securely access the bastion host. Ensure that the private key is securely stored and used only by authorized personnel.
- RDP Credentials (Windows): Set up a strong password for RDP access and use IAM roles and policies to manage permissions.
Step 3: Set Up Security and Monitoring
- Security Groups: Ensure that the bastion host’s security group allows inbound SSH/RDP from your IP address or a specific IP range, and restricts outbound traffic to the private subnets.
- VPC Flow Logs: Enable VPC Flow Logs to capture and analyze traffic to and from the bastion host for security auditing.
- CloudWatch Logs: Configure the bastion host to send system logs, such as SSH access logs, to Amazon CloudWatch Logs for monitoring and alerting.
Step 4: Access the Private Instances via the Bastion Host
- SSH from the Bastion (Linux):
- SSH into the bastion host using your SSH key:
bash
ssh -i /path/to/key.pem ec2-user@bastion-public-ip
- SSH into the bastion host using your SSH key:
- From the bastion host, SSH into a private instance using its private IP address:
bash
ssh ec2-user@private-instance-ip
- RDP from the Bastion (Windows):
- Connect to the bastion host using RDP.
- From the bastion host, initiate an RDP session to the private instance using its private IP address.
Step 5: Harden the Bastion Host
- Limit Software: Install only essential software (e.g., SSH server for Linux or RDP for Windows). Avoid running additional services or applications on the bastion host.
- Regular Updates: Ensure that the bastion host is regularly updated with the latest security patches.
- Multi-Factor Authentication (MFA): If possible, enforce multi-factor authentication for accessing the bastion host.
Best Practices for Using a Bastion Host
- Use IAM Policies for Access Control:
- Use IAM policies to restrict who can launch and access the bastion host. Implement the principle of least privilege to minimize the risk of unauthorized access.
- Enable Logging and Auditing:
- Enable detailed logging and auditing for all access to the bastion host. Use AWS CloudTrail, VPC Flow Logs, and CloudWatch Logs to track and monitor all activities.
- Implement Session Recording:
- For additional security, consider using AWS Systems Manager Session Manager to manage SSH or RDP sessions. Session Manager can record all sessions for auditing purposes, providing a comprehensive audit trail.
- Regularly Rotate SSH Keys/Passwords:
- Regularly rotate SSH keys for Linux bastion hosts or RDP passwords for Windows bastion hosts to enhance security. Consider using AWS Secrets Manager to manage and rotate credentials.
- Use Auto Scaling for High Availability:
- Deploy multiple bastion hosts across different Availability Zones and use Auto Scaling to ensure high availability. This setup ensures that access remains available even if one bastion host becomes unavailable.
- Automate Bastion Host Management:
- Use automation tools like AWS CloudFormation, Terraform, or Ansible to deploy and manage bastion hosts consistently and securely.
- Limit Access to Specific IPs:
- Restrict access to the bastion host by configuring the security group to allow connections only from specific, trusted IP addresses (e.g., corporate office IPs).
- RDP from the Bastion (Windows):