Why is a Bastion Host more secure?

Question

I've read that the best security practice for making EC2 instances Internet-accessible is to place them in a private VPC subnet, create a Bastion host in a public VPC subnet and use a security group to only allow connections from the Bastion Host and then do key forwarding to login to private instances.

However, it seems AWS offers various configurations which seem to provide similar functionality to an actual Bastion host. For instance using a Security group on a public subnet seems pretty good, and if someone gets access to your Bastion it seems likely that they're not far away from your private keys. In any case, is there anywhere I could find more info on this topic?

Answer 1

You can find best practices of using Bastion Host here: https://docs.aws.amazon.com/quickstart/latest/linux-bastion/architecture.html

Access to the bastion hosts are locked down to known CIDR scopes for ingress. This is achieved by associating the bastion instances with a security group. The Quick Start creates a BastionSecurityGroup resource for this purpose.

Ports are limited to allow only the necessary access to the bastion hosts. For Linux bastion hosts, TCP port 22 for SSH connections is typically the only port allowed.

Note that it is pretty common to create an SSH tunnel to connect to a given resource through your Bastion Host: https://myopswork.com/transparent-ssh-tunnel-through-a-bastion-host-d1d864ddb9ae

Hope it helps!

Answer 2

It's a matter of minimizing attack surface.

With a bastion host your only exposure to the open internet (ex any load balancers) is port 22, which is backed by a relatively trustworthy piece of software.

It's also a single point of management: you define one security group that identifies IP addresses that are allowed to contact the bastion, and you create a single authorized_keys file that contains public keys of your authorized users. When a user leaves, you delete a line from each.

By comparison, if you rely solely on security groups to protect publicly-accessible hosts, you need to replicate the same settings on every group (and remove/update them as needed). And if you allow SSH access to those hosts, you have to distribute the authorized_keys file after every change.

Although I can't recommend doing this, it's at least rational to open port 22 on the bastion host for world access. If you have a lot of users, or those users connect via tethered cellphones, it may even be reasonable. That's something that you'd never, ever want to do with arbitrary services.