It’s easy to accidentally damage that file or change its permissions, which will lock out access to the bastion. Tip: whenever you edit authorized_keys, don’t log out of the edit session until you’ve successfully logged-in using a different window. Instead, ask each user for their public key, and add it to the file $HOME/.ssh/authorized_keys (or give each user their own account, as I describe below). It’s tempting to share that keypair with everyone who uses the bastion host, but that’s actually an inconvenience for experiened SSH users, and it’s a security risk (especially if you open the bastion host to the world). When you create the bastion host, you must select a keypair for the primary user on the instance ( ec2-user for Amazon Linux). Instead, it is referenced by the security group of the resource(s) you want to connect to: The second security group, named bastion, has no rules of its own. And shame them ruthlessly if they create rules without attaching their name (you can find out they did it via CloudTrail) or if they don’t delete obsolete rules. To minimize your workload, give your users the IAM permission to change the rules of that security group. Tip: use the “Description” field in the security group rule to identify the person associated with that rule. The first, named bastion-access, grants access to the bastion: it must have a rule for each of your users, allowing port 22 from that user’s IP address(es). You don’t need a lot of compute capability a t4g.nano (which costs roughly $3/month) is more than sufficient to run SSH tunnels.Ĭreate two security groups for this instance. Opening port 22 to the world will cause Trusted Advisor to complain restricting it to your users’ home IP addresses may require constant maintenance.Īs I said above, a bastion host is simply a publicly accessible EC2 instance.You need to explicitly grant access to your resources from the bastion.Effectively using a bastion host requires your developers to have SSH (secure shell), and understand how tunnels work.You can use existing security facilities to control access and usage.A bastion host is easy to set up, cheap to run, and doesn’t require (much) networking know-how. It’s just a publicly-accessible EC2 instance, which listens for SSH connections and allows your users to create tunnels to other resources. As it’s always good to start a journey by understanding the thing that you’re moving “beyond,” here goes…Ī bastion host, also known as a “jump box,” is one of the simpler ways to gain access to your VPC. While this post is titled “Beyond the Bastion,” it started life as an explanation of how to set up and use a bastion host. If you work in an organization that already has processes and procedures in place, then you should talk with your IT people. My target audience is a development team that needs access to AWS, but is on their own for how to gain that access. This post highlights a few, with pros and cons and helpful hints. Given this practical necessity, how best to implement? As with everything, AWS gives you many ways to get up close and personal with your resources running around the globe. This is especially so in development and test environments, where things going right is the exception, not the rule. In the real world, it’s sometimes necessary to get your hands dirty and look at what’s happening on the actual machine. Your would diagnose problems using server logs, and your databases would always hold the correct data and perform optimally. In a perfect world, there would never be a need to connect to resources running in AWS.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |