Protecting Your AWS Environment

With Linux Bastion Hosts

Protecting Your AWS Environment With Linux Bastion Hosts

Administrative access to EC2 instances is an essential part of managing your AWS environment. Critical and production environments should have strong network-based access controls, and the best practice consists of using a bastion host. A bastion host is a virtual machine that sits outside your network security zone; it works as a primary access point from the internet and a proxy to the instances on your network security zone. By being configured as the single point of access, it is specially configured to withstand attacks and protect the instances in which it provides access.

Steps for creating the bastion host for your AWS environment

In AWS, your applications usually sit in a VPC with backend EC2 instances located on a private subnet with its own security group. A public subnet with its own security group will host the bastion host that will connect to the private subnet. This diagram shows the architecture:

The steps for creating and configuring the bastion hosts are:

  1. Launch a Linux EC2 instance in your public subnet.
  2. Configure the public subnet security group with SSH traffic with your on-premise environment as source (Avoid exposing the bastion host to the public by using 0.0.0.0/0, it is a good practice; just limit it to your users).
  3. Configure the private subnet security group with SHH traffic with the bastion hosts private IP address as source.
  4. Verify the bastion host by connecting to the bastion host and from inside the bastion host connect to the instance.

Using a Linux bastion host to connect to Windows environments using RDP

Linux EC2 instances use SSH as the connection protocol for the network connection; however, Windows instances use the Remote Desktop Protocol (RDP) to provide a graphical interface network connection. When using a Linux instance as a bastion host with Windows EC2 instances, there is a difference in the type of protocols both instances use for connection. The following question then comes to mind: "How do you connect via RDP to the Windows instances if I'm connecting via SSH to the bastion?". The solution is to use port forwarding to create a secure connection to relay the SSH connection to RDP.

Using the Linux Command Line

The first step involves creating a new port that will forward the connection to our Windows EC2 instance from the public bastion address.

ssh -L 3389:< Windows server private ip address >:3389 < bastion public facing ip address> -l ec2-user -N

Then we can easily connect using our RDP client via a local >host.

Using PuTTY

The port forwarding can achieve connection by using PuTTY with the following steps:

  1. Set public IP or Host Name of the bastion host in the Session window.
  2. In SSH >Auth window, set the private key file.
  3. In SSH >Tunnels add the new port forwarded port. The source port can be any unused port, and the destination should be the Windows EC2 server with the RDP port appended (3389).
  4. Connect via PuTTY and log in.
  5. Start an RDP session to localhost with your new port appended.

Conclusion

Security is one of the most important components of any AWS environment. Using bastion hosts, we can protect our EC2 instances from attacks and minimize the threats by just containing the minimum amount of services in the bastion host. At SoftwareONE, we follow the best security practices that will empower your organization's journey through the cloud.

Optimizing and Manage Your AWS Cloud Spend

Billing is one of the most complex and cumbersome tasks when utilizing #AWS. Join our upcoming webinar to learn how to view, understand, and optimize your AWS Cloud Bill.

Register Today

Comment on this article

Leave a comment to let us know what you think about this topic!

Leave a comment

Author

Future Data Center - AWS Consultant

Carlos Perez

Future Data Center - AWS Consultant

Future Data Center, AWS

Related Articles

Digitize Your Software Procurement
  • 14 April 2021
  • Blog Editorial Team

Digitize Your Software Procurement

Say goodbye to tracking in Excel spreadsheets! Discover the four major benefits of digitizing your software procurement.

Principles for Working with Microsoft 365
  • 14 April 2021
  • Herbert van Sintemaartensdijk
  • User Productivity

Principles for Working with M365

Four principles to consider when setting up and working with Microsoft 365.

Cybersecurity Update March 2021

Cyber Security Update March 2021

About 80% of breaches occur due to poor passwords. Keep your business protected and learn how to improve your password security.