Next gen bastion host on AWS with Cloud9 and Systems Manager

Scenario: You have some workloads running on AWS using VPC with public and private subnets. As typical way to remote access into private resources (in private subnets for example), you would use a bastion host (aka jump host). And in order to connect to the bastion host, you have 2 options:

  • Option 1: Put the bastion host on a public subnet and using security group to limit IP address can perform SSH/RDP into the bastion host.
  • Option 2: Setup VPN connection, after connected to the VPC via VPN, admin can perform SSH/RDP into the bastion host.

Both options have some weaknesses

  • Need network configuration, and will expose the system if you configured something wrong.
  • Cannot or very hard (via VPN) to apply MFA for bastion hosts.
  • To separate admins in to profiles, you will need to configure users and user groups in the bastion host; which is complicated and hard to manage with IaC (Infrastructure as Code) as it is mutable.

Objectives for a new solution

  1. Can easily apply MFA
  2. immutable infrastructure approach, profiling not by configuring users in bastion host
  3. Can support to template the admin profiles to access to different resources

And we will only call that solution “next gen” if

  1. It comes with a nice code editor to easily write/edit the configure files.
  2. The feature Download/Upload file to/from local is already there.
  3. Dark mode! :D

Bastion host with Cloud9

Cloud9 introduction: originally Cloud9 is not a bastion things solution, AWS Cloud9 is an online IDE with the backend connection (SSH) to a host. It provides a terminal that has full sudo privileges to the backend host.

Dark Mode detected!!
Reference: https://aws.amazon.com/cloud9/details/

We will make use of Cloud9 and the beautiful terminal to create a web-based bastion host.

BUT WAIT…!

What is Systems Manager doing in the first place in the title of this article?

I will ignore the whole Sessions Manager solution of AWS Systems Manager because it’s also quite complicated, and no Dark Mode.

Let’s begin with an architecture

We don’t want to configure anything about network, the bastion instance is good if we do not have to configure anything about its security group also.

Now we go

  • Go to Cloud9 and create environment

I will ignore the not very important parts, just the configuration relative to this article

  • To achieve the simplicity, we do not want to care about the security group, so the option no-ingress is perfect. Actually, this option is a preconfigured EC2 instance with Systems Manager (SSM Agent installed) to use the component Session Manager.
  • Another good-to-have pre-configured feature is auto hibernation after a period of no activity. With this setting enabled, you actually don’t have do anything.
  • Last but not least, choosing the subnet for the bastion instance. The only configuration you need to prepare is the NAT Gateway for this private subnet (usually configured in a typical network).
  • Then Next Next, you will see the Cloud9 UI, and can start using it as a typical bastion host, but with Dark Mode and a nice IDE which is far better than vi, vim nor nano
  • After quitting the browser (no activity) for 30 minutes, the instance will auto stop/hibernate to save cost. And when you come back with the Cloud9 link, AWS Cloud9 will auto start the instance (in 3 minutes)

How can we make sure this is the next gen bastion solution?

  • The solution comes up with no rule in security group to maintain, everything about security is managed via IAM
  • Via IAM (or SSO, Organization), you can create a dedicated user with the least privilege permissions, policy AWSCloud9User, force using MFA and share the Cloud9 environment.
  • Each Cloud9 environment is based on a backend EC2 bastion instance, you can create multiple environment and set role for the EC2 instance with enough permissions to manage AWS resources (via AWS CLI). This way gives you the ability to profile the bastion hosts without manage the users inside.
  • Do you know you can easily Download/Upload to the bastion host via the Cloud9 IDE?
  • And of course, from what you see, Dark Mode!!!