Protecting Your AWS Environment With Linux Bastion Hosts

Administrative access to EC2 instances is an essential part of managing your AWS environment. Critical and production environments should have strong network-based access controls, and the best practice consists of using a bastion host. A bastion host is a virtual machine that sits outside your network security zone; it works as a primary access point from the internet and a proxy to the instances on your network security zone. By being configured as the single point of access, it is specially configured to withstand attacks and protect the instances in which it provides access.

In AWS, your applications usually sit in a VPC with backend EC2 instances located on a private subnet with its own security group. A public subnet with its own security group will host the bastion host that will connect to the private subnet. This diagram shows the architecture:

The steps for creating and configuring the bastion hosts are:

1. Launch a Linux EC2 instance in your public subnet.
2. Configure the public subnet security group with SSH traffic with your on-premise environment as source (Avoid exposing the bastion host to the public by using 0.0.0.0/0, it is a good practice; just limit it to your users).
3. Configure the private subnet security group with SHH traffic with the bastion hosts private IP address as source.
4. Verify the bastion host by connecting to the bastion host and from inside the bastion host connect to the instance.

Linux EC2 instances use SSH as the connection protocol for the network connection; however, Windows instances use the Remote Desktop Protocol (RDP) to provide a graphical interface network connection. When using a Linux instance as a bastion host with Windows EC2 instances, there is a difference in the type of protocols both instances use for connection. The following question then comes to mind: "How do you connect via RDP to the Windows instances if I'm connecting via SSH to the bastion?". The solution is to use port forwarding to create a secure connection to relay the SSH connection to RDP.

The first step involves creating a new port that will forward the connection to our Windows EC2 instance from the public bastion address.

ssh -L 3389:< Windows server private ip address >:3389 < bastion public facing ip address> -l ec2-user -N

Then we can easily connect using our RDP client via a local >host.

The port forwarding can achieve connection by using PuTTY with the following steps:

1. Set public IP or Host Name of the bastion host in the Session window.
2. In SSH >Auth window, set the private key file.
3. In SSH >Tunnels add the new port forwarded port. The source port can be any unused port, and the destination should be the Windows EC2 server with the RDP port appended (3389).
4. Connect via PuTTY and log in.
5. Start an RDP session to localhost with your new port appended.

Security is one of the most important components of any AWS environment. Using bastion hosts, we can protect our EC2 instances from attacks and minimize the threats by just containing the minimum amount of services in the bastion host. At SoftwareONE, we follow the best security practices that will empower your organization's journey through the cloud.