How to setup bastion host or Jumpbox in AWS?

Question

I am exploring how to setup bastion host like security and networking configuration on AWS.

let's say I have multiple EC2 instances. But I do not want to enable SSH on every other EC2 instance. I want to use a specially configured EC2 instance as a bastion host on which I can do SSH from my private IP (only); and once I am on bastion host instance or Jumpbox instance, I want to do SSH to any other EC2 instance in my VPC.

Is there any AMI instance available which I can use as a Jumpbox or bastion host? So that I can use only one bastion host to do SSH into any other EC2 instances within my VPC.

I saw few jump box EC2 AMI, but I guess they are being used more like Bitnami type of distribution and not acting as a bastion host.

Answer 1

As AWS Security groups can enable you to permit a particular IP or explicit range of IPs for SSH inbound, it's quite pointless having a Bastion Host for this use case. The Docs teach you how to do this.

The only time you'd want a Bastion Host on AWS is that if you need to SSH into instances that are in a private subnet. To get at instances in a private subnet from the internet, you need to SSH into an instance in a public subnet, and from that bastion instance, you would need to SSH to your instance in the private subnet using its private IP.

It's pretty simple to set up. You don't need any fancy AMIs or anything like that and it only really needs to be something small like a t2.micro. Just Launch any instance eg. Amazon Linux in a public subnet. Make sure it's security group allows your IP on port 22, and SSH into it. Then you will need to permit the bastion host access to your required instances with security groups.

Once you have got this created, you can SSH into your bastion, and from there you can simply SSH into your desired instance.

Check out these links:

• https://aws.amazon.com/blogs/security/securely-connect-to-linux-instances-running-in-a-private-amazon-vpc/
• https://aws.amazon.com/blogs/security/controlling-network-access-to-ec2-instances-using-a-bastion-server/

 

However, in a different way around accessing instances in a private Subnet is to line up a VPN.

But the best way to lock down your instances is to use security groups and only allow your desired IPs to your instances.