Use of a Bastion Host in AWS Cloud Environment

One could have any number of EC2 instance, RDS instances, along with  other services that can be actively connected to in an AWS acocunt. Since connecting directly to any one of these instances is considered a security risk, the notion of a “Bastion Host” is used, or machine that you can remotely connect into directly. In order to use the bastion host, one has to understand the concept of ssh keys and ssh tunneling. A public-private key pair is generated using putty or similar key gen tool. The scenario for connecting requires the public key to be installed on the server, and it must be installed in the users home directory with the correct permissions set. Therefore, simply creating a directory without creating the user to begin with via the useradd linux command may not work, since the permissions of the directory may not be what the ssh deamon expects.

After clicking generate, the putty key gen utility will display the public key generated with instructions on what to do with it: “Public key for pasting into OpenSSH authorized keys file”. It is possible to have multiple keys in the file that all work, I have tried it and it works. Putty saves the private key in a file with extension .ppk, which is the putty format, but I have also seen private keys have the .pem extension as well. Keep in mind you must log in as the user where you saved the public key in the home directory, eg, /home/{username}/.ssh/authorized_keys. The ssh deamon looks at this file by default for public key pairs to accept. An example of setting up tunneling in putty is illustrated below:

If you click “open” on this session, you can open up an ssh session on you local and connect to localhost:1111, you would actually connecting to the remote machine with ip, 10.10.11.10 over ssh, since ssh  is default port 22. This is really cool once you get this concept, as it turns out to be really useful when connecting to other machines through the bastion host directly from your local machine.

If you just need to access an EC2 instance, you don’t necessarily need to go through an SSH tunnel through the bastion host using putty. SSH access can be first granted through AWS session:

This is extremely handy as it removes putty and tunneling altogether. Another way to connect using AWS session manager, if you want the ability on your local desktop, is to use aws cli and run the following:

aws ssm start-session –target i-123456789abcde –profile test

If you are signed in, this command will get you into the target machine. That is assuming you have run aws sso command to be logged in locally:

aws sso login –profile {profile}