What is AWS Bastion Host?
Security plays an important role in all sectors. When a user is using any service its concern is that his/her data should be secured while sharing their data in that service. There is always a chance that some malicious attacks or threats take place when the user is using some services. Although Amazon is capable of providing excellent security to its service. Amazon suggested to use SSH or RDP for more security to instances and services. Bastion Host is one of the services provided by the AWS in order to avoid unnecessarily exposing users’ data on the internet. Bastion host tightens the access of the resources, gateways, instances, etc. These hosts are accessed with the help of SSH or RDP protocols.
What is Bastion Host?
A Bastion host is a special-purpose server or an instance that is used to configure to work against the attacks or threats. It is also known as the ‘jump box’ that acts like a proxy server and allows the client machines to connect to the remote server. It is basically a gateway between the private subnet and the internet. It allows the user to connect private network from an external network and act as proxy to other instances.
Why to use Bastion Host?
The complete scenario can be explained as suppose there is as clusters of instances in your public network. The public cloud allows you to create some private or isolated section of the cloud which can be used by the user for launching other services which are known as VPC (Virtual Private Network). So the user wants to create a medium or a communication channel to your VPC insecure environment. So there are many methods through which you can do this. The first decision you might use is providing an external IP address. You can assign some services with an external IP address to access it over the internet. But some users might not want to use external IP addresses and want to use SSH tool for more security to connect to the VPC. So now if you are not providing it with the external IP address then the alternate remains is that create another instance on the network which becomes a gateway for the private network to the internet. It acts as a trusted relay for inbound connections. This instance is called Bastion service.
How bastion host works?
Bastion host basically provides an entry point into the private networks which are to be connected to the external network securing from the attacks. A bastion host has both internal and external IP addresses. If users want to connect the internal instance without using external IP addresses then it can connect to a Bastion host and then connect to your internal instances from that Bastion host. While using Bastion service you have to log in first to your Bastion host and then directed to the private instances. The following diagram can explain how it actually works.
The Following describes the architecture of the Bastion host. If the users have preexisting AWS infrastructure it becomes easier to deploy the Bastion host.
- There is a requirement of a VPC configured which have both public and private subnets which provide users with their own virtual network on the AWS infrastructure.
- There is a requirement of a gateway that acts as a bridge for access of internet. It allows the bastion host to receive and send the traffic of the private network.
- An architecture that can span up to two availability zones.
- There is a need for a cluster of Amazon EC2 auto-scaling instances.
- There will be a requirement of the number of the elastic IP addresses to match the number of bastion host instances.
- Amazon Cloudwatch will also be required in order to store the history of the bastion host shell logs.
- Security groups play a vital role in maintaining the security and look upon the factor that the bastion host doesn’t fail at all. Security groups are created so that it allows the users to connect the bastion host to the private instances.
By default, the bastion host uses the private keys for authentication so users have to keep the copy of the private keys but this is not recommended because the Bastion host is compromised. It is highly recommended to use SSH-agent forwarding instead of using the targets machine’s private key on the bastion host. If the users are using the same key pair then also it is recommended that to use the same key pair for both bastion and target instances. The other thing that users should look upon the hardening of the security of the bastion host. It should only handle the essential packages and installations otherwise uninstall all the other unessential packages. Also, remember that Bastion hosts are deployed in the public network.