10 AWS Bastion Host Best Practices

AWS Bastion hosts are a great way to secure your AWS environment. By using a bastion host, you can limit inbound traffic to your AWS environment while still allowing outbound traffic.

In this article, we will discuss 11 best practices for using AWS Bastion hosts. By following these best practices, you can help ensure that your AWS environment is secure and compliant.

1. Use a bastion host to access your instances

Bastion hosts provide an additional layer of security by acting as a “jump box” that you can use to access your AWS instances. By using a bastion host, you can limit direct access to your instances, which reduces the risk of attack.

Additionally, bastion hosts can be used to monitor and audit activity on your AWS account. By using a bastion host, you can track who is accessing your instances, when they are accessing them, and what they are doing. This information can be invaluable in identifying potential security issues.

Finally, bastion hosts can be used to improve the availability of your AWS instances. By using a bastion host, you can ensure that your instances are always accessible, even if one or more of them goes down.

2. Restrict SSH traffic to the bastion host

The bastion host is the only server in your AWS environment that should be publicly accessible, so it’s a prime target for attackers. By restricting SSH traffic to the bastion host, you make it much more difficult for an attacker to gain access to your servers.

To restrict SSH traffic to the bastion host, you can use security groups. A security group is like a virtual firewall that controls traffic to and from your instances. You can add rules to a security group that allow or deny traffic based on various criteria, such as the source or destination IP address, port number, or protocol.

For example, you could create a rule that allows SSH traffic only from the bastion host’s IP address. This would ensure that only traffic originating from the bastion host can reach your instances via SSH.

You can also use network ACLs to restrict SSH traffic to the bastion host. Network ACLs are similar to security groups, but they operate at the subnet level instead of the instance level. This means that you can apply them to all instances in a subnet, regardless of whether they are part of a security group.

Network ACLs have two separate sets of rules, one for inbound traffic and one for outbound traffic. For inbound traffic, you can specify a rule that allows SSH traffic only from the bastion host’s IP address. For outbound traffic, you can specify a rule that allows all traffic.

By combining security groups and network ACLs, you can create a very effective defense-in-depth strategy that will make it much harder for an attacker to gain access to your instances.

3. Disable direct SSH access to all other hosts

If an attacker were to gain access to your bastion host, they would then have direct access to all the other hosts in your environment. By disabling SSH access to all other hosts, you limit the damage that can be done in the event of a compromise.

To disable SSH access to all other hosts, simply add the following line to your /etc/ssh/sshd_config file:

DenyUsers *

This will deny SSH access to all users, including the root user. You can then add exceptions for specific users that need SSH access.

4. Configure security groups correctly

When you set up a Bastion host, you need to make sure that it’s only accessible from certain IP addresses or subnets. This is usually done by creating a security group for the Bastion host and then adding rules that allow access only from specific IP addresses or subnets.

However, if you’re not careful, it’s easy to accidentally leave the Bastion host open to the world. For example, you might forget to add a rule that restricts access to the Bastion host security group, or you might add a rule that allows access from any IP address.

To avoid these mistakes, it’s important to double-check your security group rules before you launch the Bastion host. You can use the AWS Command Line Interface (CLI) to do this.

First, create a file called bastion-sg.json with the following contents:

{
“GroupName”: “bastion-sg”,
“Description”: “Security group for Bastion host”,
“VpcId”: “vpc-12345678”,
“SecurityGroupIngress”: [
{
“IpProtocol”: “tcp”,
“FromPort”: 22,
“ToPort”: 22,
“CidrIp”: “10.0.0.0/24”
}
]
}

Next, use the AWS CLI to create the security group:

aws ec2 create-security-group –cli-input-json file://bastion-sg.json

Finally, add a rule to the security group that allows access from your IP address:

aws ec2 authorize-security-group-ingress –group-id sg-12345678 –protocol tcp –port 22 –cidr 1.2.3.4/32

5. Enable CloudTrail logging for VPC Flow Logs

VPC Flow Logs is a feature of Amazon VPC that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. This is useful for monitoring, troubleshooting, and security purposes.

However, by default, VPC Flow Logs does not log activity from AWS Bastion Hosts. This means that any activity on your Bastion Hosts will not be captured in your VPC Flow Logs.

Enabling CloudTrail logging for VPC Flow Logs will ensure that all activity on your Bastion Hosts is logged, providing you with valuable insights into what is happening on your network.

6. Don’t use passwords; use key pairs instead

If an attacker gets ahold of your password, they can use it to login to your Bastion Host and gain access to your AWS environment. However, if you’re using key pairs, the attacker would also need to have your private key, which is much more difficult to obtain.

Additionally, key pairs are more secure because they’re not susceptible to brute force attacks like passwords are. So, if you’re looking to add an extra layer of security to your AWS environment, make sure to use key pairs for your Bastion Hosts.

7. Use IAM roles and temporary credentials

When you connect to an AWS Bastion host, you’re connecting to a resource in your AWS account. As such, you need to authenticate with credentials that have permissions to access that resource. However, you don’t want to use your root account credentials or IAM user credentials, as these could be compromised if your bastion host is breached.

Instead, you should use IAM roles and temporary credentials. IAM roles are like users, but they don’t have any permanent credentials associated with them. Instead, they assume the identity of the user or application that is accessing them. This means that even if your bastion host is compromised, the attacker won’t be able to get hold of any long-term credentials.

Temporary credentials are just that – temporary. They can be generated by using the AWS Security Token Service (STS), and they expire after a certain period of time. This means that even if an attacker does get hold of them, they will only be useful for a limited time.

8. Rotate keys regularly

If an attacker gets ahold of your Bastion host’s SSH key, they can use it to access any other instance in your AWS environment that is reachable from the Bastion host. So, if you have a lot of instances, or if your Bastion host has a wide-open security group, the attacker could potentially gain access to a lot of sensitive data.

To prevent this, it’s important to rotate your Bastion host’s SSH keys on a regular basis. You can do this manually, or you can automate it using a tool like Hashicorp Vault.

Either way, make sure you have a process in place to regularly rotate your Bastion host’s SSH keys, so that if one key is compromised, the attacker won’t be able to use it to access your other instances.

9. Use AWS Systems Manager Session Manager

Session Manager is a fully managed AWS Systems Manager capability that lets you control, manage, and monitor access to your instances through an interactive one-click browser-based shell or SSH session. With Session Manager, there is no need to open inbound ports, maintain bastion hosts, or manage SSH keys. Additionally, all sessions are logged for auditing purposes and you can set up alerts to detect unusual activity.

To get started using Session Manager, simply install the SSM Agent on your EC2 instances and then create a session manager configuration. You can then launch sessions directly from the AWS Management Console, the AWS Command Line Interface (CLI), or programmatically using the AWS SDKs.

10. Monitor your bastion hosts

Bastion hosts are a single point of entry into your AWS environment, making them a prime target for attackers. If an attacker were to gain access to your bastion host, they would then have access to all the resources within your VPC.

To prevent this, it’s important to monitor your bastion hosts for any suspicious activity. This includes monitoring for failed login attempts, unusual traffic patterns, and any other anomalies.

AWS provides CloudWatch Logs as a way to monitor your bastion hosts. You can use CloudWatch Logs to set up alarms that will notify you of any suspicious activity.

Additionally, it’s a good idea to create snapshots of your bastion hosts on a regular basis. This way, if your bastion host is ever compromised, you can quickly restore it from a snapshot.