Sunday, November 03, 2013

Setting up a Bastion Host on AWS

Edit: 5/20/2017 There's another option for creating a bastion host on AWS here: https://aws.amazon.com/blogs/mt/replacing-a-bastion-host-with-amazon-ec2-systems-manager/

In order to reduce attack vector and secure assets on AWS you may want to limit RDP and/or SSH access to instances through a bastion host. Bastion hosts are for inbound traffic and fully exposed to attack. These are typically computers that you want to harden very carefully and audit regularly.

http://en.wikipedia.org/wiki/Bastion_host

The nice thing on AWS is that you can simply turn off your bastion host when not in use and fire it back up as needed.

In my case I would set up one for Linux and one for Windows.

- create bastion security group(s) within your VPC
- create instances for bastion host(s) in bastion security group
- only allow remote access traffic bastion hosts to other instances in your VPC

Create one bastion security group if same people manage all the servers. If you have different people managing different server groups may further break it down based on separation of duties, say Linux server managers and Window server managers or server management and db access to RDS.

For example:

Create a bastion-windows security group. Allow traffic in only from machines allowed to access servers via RDP by limiting to IP range, VPN, etc.

Create a bastion-linux security group. Allow trafffic only from machines allowed to SSH into Linux instances at AWS.

Limit RDP to any windows boxes to only be allowed from the bastion-windows security group.

Limit SSH access to any linux machines only from the bastion security group.

That will funnel all your remote access through one channel to limit your attack vector and access points to manage.

Other options:

You might install client tools to access database on this machine or force people to log into this machine, then remote to the machine that has the client db tools depending on what type of separation of duties and groups you require.

You might want to segregate this further based on your organizational needs for separation of duties or set up additional instances to handle the load.

For example, you may want developer traffic to go straight to their instances and not through the bastion hosts for production machines.

You might also want to break it down to limit exposure of third party software security flaw. For example if you created a bastion host for accessing MySQL RDS and installed MySQL WorkBench on that host but limited that hosts access to any other machine remotely, that limits exposure if any remote execution flaws exist in MySQL WorkBench. (Not that there are any that was just an example of third party software).

Note that putting any extraneous software on your bastion host is a security risk and would be better to avoid altogether if possible.