Improving Security in AWS by Removing the Bastion Host.
Miguel Ángel Chuecos, Site Reliability Engineer of DarerPlanet Technology, tells us some very useful tips to improve security in AWS removing the Bastion Host .
In the following article, we will look at how jump servers work, a better alternative, their advantages over classic jumps, and how to configure them to improve security in AWS for all OS.
PS. You have a tip at the end of the article
Frequently, jump servers or bastion hosts are used as a practice to access resources without Internet access (Private Subnets) within AWS, or even with access to the outside but restricted by IP (Security Group).
Jump servers are often used to connect to a database, perform tests, check application logs, apply updates…
Table of Contents
How does this jump works?
- This access is done by SSH connection (Port 22) or RDP (3389) establishing the public source IPs that will access the Bastion Security Group.
- In addition, the accessing person must have the key pair associated with the instance.
- Once the connection to Bastion has been established, another SSH/RDP connection is made to the private service (EC2 instance, for example).
The following diagram describes the connectivity flow from the user to the private EC2 instance which host the application:
What is the best alternative?
We recommend you to use AWS Systems Manager and Session Manager. We are going to show you why using this tool is the best choice to improve security in AWS.
What are the advantages of using AWS Systems Manager over a classic SSH/RDP jump?
These are the main advantages of using AWS Systems Manager and Session Manager:
AWS Systems Manager is cross-platform
You do not need to use different SSH/RDP connection tools depending on the operating system (Linux, Windows, macOS).
Quick and secure access
Simply access the AWS Management Console from your browser and log in to the desired host with a couple of clicks or using AWS CLI.
Forget about SSH access and open ports in the security group
With Session Manager you don’t need to add SSH or RDP access rules or maintain a security group with different public IPs that can change over time.
Security managed by IAM
In this way, security is centralised, allowing permissions to be given and denied from a single place depending on the user, group and instance by through of IAM policies.
Integration with audit and log services
With Session Manager you can further trace and record user session activity by integrating with AWS CloudTrail, Amazon S3, Amazon CloudWatch, Amazon EventBridge and Amazon SNS services, allowing you, for example, to receive alerts when a user starts or stops a session.
The following diagram describes connectivity to the private EC2 instance using Systems Manager Session Manager:
How do I enable Sessions Manager on my EC2 instance?
SSM Agent is installed, by default, on the following EC2 instances and Amazon Machine Images (AMIs):
- Amazon Linux.
- Amazon Linux 2.
- Amazon Linux 2 ECS-Optimized Base AMIs.
- Ubuntu Server 16.04, 18.04, and 20.04.
For other linux distributions, take a look to the AWS page.
AWS Systems Manager Agent (SSM Agent) is preinstalled, by default, on the following Amazon Machine Images (AMIs):
- Windows Server 2008-2012 R2 AMIs published in November 2016 or later.
- Windows Server 2016 and 2019.
For other Windows versions, take a look to the AWS page.
SSM Agent is installed by default on the following EC2 instances and Amazon Machine Images:
- macOS 10.14.x (Mojave).
- macOS 10.15.x (Catalina).
- macOS 11.x (BigSur).
SSM Agent doesn’t need to be manually installed on macOS EC2 instances unless it has been uninstalled.
In that case, take a look to this article.
Once you have installed the SSM Agent, the EC2 instance must has attached a IAM Role Profile. Follow these steps to create the policy.
Now the IAM Role Profile has been created it must be attached from EC2.
Select the EC2 instance > Actions > Security > Modify IAM role and select the IAM Role you have created before.
From AWS Systems Manager, select Session Manager from the Node Management list. If the instance has been configured correctly, it should appear in the list of “Target Instances”.
Tip: Type bash to keep track of the commands executed in the session.
Aws Systems Manager to improve security in AWS
Using AWS Systems Manager to improve AWS security instead of a classic SSH/RDP jump has a lot of advantages and as we have shown you is easy to set-up.
What are you waiting for to improve your AWS security?
As always, we are happy to share knowledge. Feel free to contact us so we can help you with whatever you need.
We hope you found this article useful!
Do you want to tell us something?