I am wondering how you should setup your network (AWS) so you can debug different things that might occur. Obviously there's logging, but it seems at some point you might require SSHing into the actual machine of interest and checking around. If this is the case, it seems you would need to open up port 22 on every machine in the network. To make it secure, I would only allow bastion host to connect to my IP address, and then every other machine only allows connections from the bastion host on the internal network. Is this considered bad practice? If so, what is the right way to go about this situation?
1 Answers
This is a great question becuase this is a common concern I deal with. I will give some answers into what you should understand and what I would do.
Bastion Host or JumpBox is just two step so you can log in to the AWS via SSH port 22 or RDP port 3389 as you already know (for new users reading). It is a way to secure and to let your instances and not let your instances be in a public subnets (expose to the internet). Which means you need to access the jumpbox (Bastion Host) and then connect to the instance which is in a private subnet (no internet access). If you have multiple instances this will save you alot because you will only have to manage the security of the bastion host.
Opening ssh to the world is a very dangerous practice. For once when you create an instance in amazon it generates a keypair .pem so you can connect to your ec2 instances. The issue is managing the keys. If we talk about an organization as an example many users will have keys that will be an issue, and will fall out of hands if the instances are exposed to the internet and also its not a good practice to share keys between users for the same instances.
Resume:
So between these point what I would suggest if its that much level of security that you want is that you may want to look at something called SSM. SSM is an agent that is installed in your instances that monitor the instances, you can block all ssh access including in a provate subnet. And you can only connect trough it via the AWS Console (Picture below). You will not need a bastion host nor opening your instances up to the world via an ssh port. Which means you will save costs and also provide better security. Another point is you will have full to the instances (logs, healthcheck and control) trough the IAM which you can authorize which user or resource has accesss to it.
Login trough the SSM
Observation : These are all in a private subnet and I use an Internet Gateway to download dependencies from yum.
- 16,100
- 5
- 50
- 55
- 113
- 1
- 7
-
1How is SSM any more secure than SSH, it still has to open the HTTPS port. I don't understand that part. – Lance Jul 31 '20 at 19:38
-
Also, not sure if you addressed how to ssh into the rest of your network beyond the SSM or bastion host. How do you do that with SSM? Or should you still be able to do that, so you can debug? – Lance Jul 31 '20 at 19:39
-
2The difference is management. You will not need a bastion host to connect to the instance nor open SSH ports. Second is that you only connect to the instance if your logged in to the AWS Console which means an extra leyer of security besides you MFA to your root account if its enabled as well as IAM policy. – Sherlocker Jul 31 '20 at 19:43
-
You write *Opening ssh to the world is a very dangerous practice.* - what do you base this on? OpenSSH has a rather good security track record, and is *widely* used - on the open internet. – vidarlo Dec 29 '20 at 16:04