Toward a Bastion-Less World
Using a bastion or jump server has been a common way to allow access to secure infrastructure in your virtual private cloud (VPC) and is integrated into several Quick Starts. Amazon Web Services (AWS) has recently released two new features that allow us to connect securely to private infrastructure without the need for a bastion host. This greatly improves your security and audit posture by centralizing access control and reducing inbound access.
With Session Manager, you don’t have to open inbound access to secure shell (SSH) ports and remote Microsoft Windows PowerShell ports. To learn more about the benefits, see the AWS Systems Manager Session Manager documentation. In this first part of this two-part blog series, I present an overview of the automation required to enable SSH access by using AWS Session Manager.
Instructions for access using Amazon Elastic Compute Cloud (Amazon EC2) Instance Connect will follow in the second blog post. For details on Session Manager, see the Getting Started with Session Manager documentation.
To work through this blog post, if you are testing the connection by using SSH, you need the name of an existing public/private key pair, which allows you to connect securely to your instance after it launches. If you don’t have a key pair, create one before following the rest of the steps below. A key pair is not required if you are testing the connection using only the AWS CLI or the AWS Systems Manager console.