What the Heck is a Bastion Host?

July marks the month two countries of intertwined history celebrate their independence. The United States celebrates independence annually on the 4th of July, a date on which the famous proclamation of autonomy was made against European rule. Across the pond, 13 years later on the 14th of July, Parisian dissidents in fear of reprisal by King Louis XVI, stormed royal arms stores. Parisians then turned to siege the fortress-prison known as the Bastille; an edifice of despotism. The Bastille, before being repurposed as a prison, served as a medieval fortress protecting Paris from possible English invasion. In fact, the word "Bastille" is a cognate of "bastion," a defensive tower added to the walls of a fortification.

For both the United States and France, an English invasion hasn't been a point of concern since Mick Jagger. However, in the context of AWS, a bastion host can boost your network security. 

A bastion host is not a new idea. Otherwise known as a jump box, a bastion host (as per the AWS nomenclature) is used as a primary access point to reach instances that reside in your private subnets. This elementary security feature is best utilized for SSH & RDP sessions, and reduces the number of publicly-accessible instances in your network. Because of this reduction, access management is less, and you can focus on securing those few instances vs. many.

What Does a Bastion Host Look Like?

A bastion host doesn’t complicate or congest a contemporary AWS network architecture. A bastion host resides in the public subnet, and proxies your connection into the private subnet. Instances that once resided in the public subnet can more wisely be placed in the private.

‍

Wait a Minute!

“Doesn’t a bastion host introduce a single point of failure?”

It’s certainly true that because your bastion host serves as the critical drawbridge to your network, it can also become a weakness. Extra steps should be taken to secure it. Continue here to follow the principle of least privilege, which states that a user should be given the minimum level of permissions needed to perform the job. 

• Individual user keys should be set permitting ssh access from the user to the bastion host. 
• Consider configuring the bastion host security group to only allow connections from a range of corporate or otherwise fixed external IP addresses. 
• Restrict which ports are open from the web to your bastion host, as well as from your bastion hosts to your private subnet. 

“What if my bastion host goes down?” 

A very valid fear. Setting your bastion host to be part of an autoscaling group can ensure that in the event that your bastion host has a health check failure, another comes up in its place. 

“Wait, how much does this cost?” 

As is the AWS motto, you only pay for what you need. The EC2 instance you create for this role doesn’t have to be large. In fact, it may qualify as a free tier instance, making this a very affordable security solution. Do be aware that you’ll need to attach an elastic IP to this instance. (If the elastic IP is not attached to a running instance, this could incur a fee.)

Let’s Get It Started (in Here)

Amazon has a quick start guide for setting up a bastion host in Linux. Things you’ll need to get started are some familiarity with Amazon VPC, EC2, and NAT gateways.  Make a mental note of your public and private subnets. Also, be sure your bastion host goes on the public subnet, as you can’t move the instance subnet in AWS, and you’ll have to terminate it and create the instance over again. 

Quis custodiet ipsos custodes?

“Who will guard the guards themselves?”

Need access audits? A bastion host is a great solution. Some security standards may require auditing of outside access to your private network. AWS CloudTrail does offer you some granular auditing here to see what's going on. Also, albeit a little more advanced, you can create a script to monitor ssh connections on your jump box itself, as documented here. 

Looking to improve network security with a bastion host? The devoted experts of Bloomip can help. Contact Us for a Free Cloud Assessment.