Bastion Host
A bastion host is a server that provides access to a private network from a public network, such as the Internet. A bastion host must minimise the chances of penetration due to its vulnerability to attack.
Requirements to be considered
Option 1: Windows RDP
Bastion via RDP to access Windows user interface, and therefore, to any tool that can be installed on the machine as if they were working on their local machine.
RDP is known to have some security vulnerabilities
By default, only two concurrent users are allowed without extra charges. To have more users we must purchase Client Access Licenses (CALs) and consequently manage users
Windows Server AMI build with all the required tools takes time and the same goes for any security patching or update
Option 2:Amazon Workspaces
Amazon Workspaces is like a GUI Bastion but as a managed service which can be deployed in a private subnet. Each user has its own machine (Windows or Ubuntu) with a user interface, and users are managed via Simple AD or Microsoft Active Directory.
Amazon Workspaces comes at a price which is either a $30 flat-fee per user per month.
Creating a bundle cannot be fully automated.
Managing users and Workspaces is time consuming.
Option 3:VPN
All traffic is redirected to the VPN and the VPN outgoing IP is used in the resources’ security group
Setup add more complexity, more resources to manage
Users’ local machines become part of our private network it increases the surface of attack, adding components we have almost zero control over
Option 4 :AWS SSM
AWS Systems Manager Session Manager is like an SSH Bastion , much more secured. The EC2 instance can be in a private subnet and no rule in the instance security group is required.
Logging and auditing can be done easily - to track every command executed during a session.
Centralized access control to instances using IAM policies
No open inbound ports and no need to manage bastion hosts or SSH keys
Cross-platform support for Windows, Linux, and macOS
Logging and auditing session activity
Auditing (AWS CloudTrail) and Logging (CloudWatch and S3, with KMS Encryption of Logs)
Encryption using AWS KMS
Top comments (0)