78. When do you need a bastion host?

Harken, good sir! Art thou aware of the arcane art of safeguarding thy AWS instances from malevolent threats whilst keeping them accessible for thy travels? There exists a mighty tool for such purpose, and it is hight the "bastion host." In this pamphlet, we shalt unravel the mysteries of the bastion host and showeth thee how to useth it to safeguard thy web space. We shall commence by presenting a shadowy example architecture and introducing thee to the definition of a bastion host. We shalt then delve into the question of whether bastion hosts could be a security liability and explore the enigmatic concept of port-knocking. We shalt also take thee on a valiant journey of how to provision a bastion host on AWS, and explaineth the cryptic basics of SSH and tunnels. Thou shalt discover the dark side of managing SSH keys and auditing SSH connections, and we shall reveal the secrets of AWS EC2 Instance Connect and AWS Session Manager (SSM) as solutions. Thou shalt learn how to accept connections without exposing a port on the public internet, and we shall introduce thee to a mysterious tool called "basti" that can make it easier to provision SSM-based bastion hosts and connect to thy databases. We shalt wrap up by revealing alternative security measures to the mysterious bastion host and provide thee with cryptic closing notes to summarize the key takeaways from this video. Heed our call to this intriguing guide to securing thy web space, and may the forces of the internet be in thy favor! 🛡️ SPONSORS 🛡️ Harken, good folk! We would like to offer our deepest gratitude to our noble sponsor, fourTheorem (https://fourtheorem.com), an AWS Consulting Partner that doth offer training, cloud migration, and modern application architecture. Thanks to their generosity, we are able to continue on our journey of imparting wisdom and knowledge regarding AWS.

Verily, in this episode, we hath made mention of the following resources:

• ⁠⁠⁠An open-source implementation of the port-knocking technique
• Thee official guide to set up EC2 Instance Connect
• A list of AWS IPs
• Thee official docs on how to set up SSM
• SSM agent code on GitHub
• Thee inlets project on GitHub
• Basti on GitHub
• Tailscale
• Wireguard

Hear ye, hear ye! AWS Bites is at thy disposal wherever thou mayest listen to thy podcasts:

• Apple Podcasts:⁠⁠⁠⁠⁠⁠ https://podcasts.apple.com/us/podcast/aws-bites/id1585489017⁠⁠⁠⁠⁠⁠
• Spotify: ⁠⁠⁠⁠⁠⁠https://open.spotify.com/show/3Lh7PzqBFV6yt5WsTAmO5q⁠⁠⁠⁠⁠⁠
• Google: ⁠⁠⁠⁠⁠⁠https://podcasts.google.com/feed/aHR0cHM6Ly9hbmNob3IuZm0vcy82YTMzMTJhMC9wb2RjYXN0L3Jzcw==⁠⁠⁠⁠⁠⁠
• Breaker:⁠⁠⁠⁠⁠⁠ https://www.breaker.audio/aws-bites⁠⁠⁠⁠⁠⁠
• RSS: ⁠⁠⁠⁠⁠⁠https://anchor.fm/s/6a3312a0/podcast/rss