Linux Bastion Hosts on the AWS Cloud

Quick Start Deployment Guide

QS

July 2022
Santiago Cardenas, AWS Serverless Partners
Tony Vattathil, Ian Hill, and Troy Lindsay, AWS Integration & Automation team

Refer to the GitHub repository to view source files, report bugs, submit feature ideas, and post feedback about this Quick Start. To comment on the documentation, refer to Feedback.

This Quick Start was created by Amazon Web Services (AWS). Quick Starts are automated reference deployments that help people deploy popular technologies on AWS according to AWS best practices. If you’re unfamiliar with AWS Quick Starts, refer to the AWS Quick Start General Information Guide.

Overview

This Quick Start deploys Linux Bastion Hosts on the AWS Cloud. This guide covers the steps necessary to deploy this Quick Start.

This Quick Start provides Linux bastion host functionality for AWS Cloud infrastructures. It deploys a virtual private cloud (VPC) using the Amazon VPC Quick Start reference deployment. Then, it sets up private and public subnets and deploys Linux bastion instances into the VPC. You can also choose to deploy Linux bastion hosts into your existing VPC.

The bastion hosts provide secure access to Linux instances located in the private and public subnets. The Quick Start architecture deploys Linux bastion host instances into every public subnet to provide readily available administrative access to the environment. The Quick Start sets up a Multi-AZ environment consisting of two Availability Zones. If highly available bastion access is not necessary, you can stop the instance in the second Availability Zone and start it up when needed.

You can use this Quick Start as a building block for your own Linux-based deployments. You can add other infrastructure components and software layers to complete your Linux environment in the AWS Cloud. To build an AWS Cloud infrastructure for accessing Microsoft Windows-based instances, see the Quick Start for Remote Desktop (RD) Gateway.

Costs and licenses

There is no cost to use this Quick Start, but you will be billed for any AWS services or resources that this Quick Start deploys. For more information, refer to the AWS Quick Start General Information Guide.

Architecture

Deploying this Quick Start with default parameters builds the following Linux bastion hosts environment in the AWS Cloud.

Architecture
Figure 1. Quick Start architecture for Linux bastion hosts on AWS

As shown in Figure 1, this Quick Start sets up the following:

  • A highly available architecture that spans two Availability Zones.*

  • A VPC configured with public and private subnets, according to AWS best practices, to provide you with your own virtual network on AWS.*

  • An internet gateway to allow access to the internet. This gateway is used by the bastion hosts to send and receive traffic.*

  • In the public subnets:

    • Managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets.*

    • A Linux bastion host in an Auto Scaling group for connecting to Amazon Elastic Compute Cloud (Amazon EC2) instances in public and private subnets.

      • As of July 25th, 2022, the Linux bastion host will not have a public IP address assigned for remote access by default, and should be accessed via AWS Systems Manager or alternate means.

      • If a remote access CIDR block is configured for the deployment, an Elastic IP address is assigned and inbound Secure Shell (SSH) access is permitted.

  • An Amazon CloudWatch log group to hold the Linux bastion host shell history logs.

* The template that deploys this Quick Start into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.

Deployment options

This Quick Start provides the following deployment options:

This Quick Start provides separate templates for these options. It also lets you configure Classless Inter-Domain Routing (CIDR) blocks, instance types, and Linux bastion hosts settings.

Predeployment steps

Choose a Region

  • Before deploying the stack, in the AWS Management Console, choose an AWS Region from the top toolbar.

    AWS Region list
    Figure 2. Selecting an AWS Region
    Consider choosing a Region closest to your data center or corporate network to reduce network latency between systems running on AWS and the systems and users on your corporate network.

(Optional) Create a key pair

If you want to access for your Linux bastion host via SSH as well as AWS Systems Manager, you must create a key pair. To create a key pair in your preferred Region, do the following:

  1. In your AWS Management Console, choose an AWS Region.

  2. On the Services menu, choose EC2.

  3. Under Network and Security, choose Key Pairs.

  4. Choose Create Key Pair.

  5. Enter a name and choose Create.

    keypair
    Figure 3. Creating a key pair

    Amazon EC2 uses public-key cryptography to encrypt and decrypt login information. To be able to log in to your instances, you must create a key pair. On Linux, the key pair is used to authenticate SSH login.

Deployment steps

  1. Sign in to your AWS account, and launch this Quick Start, as described under Deployment options. The AWS CloudFormation console opens with a prepopulated template. Deployment takes about 5 minutes to complete.

  2. Choose the correct AWS Region, and then choose Next.

  3. On the Create stack page, keep the default setting for the template URL, and then choose Next.

  4. On the Specify stack details page, change the stack name if needed. Review the parameters for the template. Provide values for the parameters that require input. For all other parameters, review the default settings and customize them as necessary. When you finish reviewing and customizing the parameters, choose Next.

    Unless you are customizing the Quick Start templates for your own projects, don’t change the default settings for the following Amazon Simple Storage Service (Amazon S3) parameters: Quick Start S3 bucket name, Quick Start S3 bucket Region, and Quick Start S3 key prefix. Changing these settings automatically updates code references to point to a new Quick Start location. For more information, refer to the AWS Quick Start Contributor’s Guide.
  5. On the Configure stack options page, you can specify tags (key-value pairs) for resources in your stack and set advanced options. When you finish, choose Next.

  6. On the Review page, review and confirm the template settings. Under Capabilities, select all of the check boxes to acknowledge that the template creates IAM resources that might require the ability to automatically expand macros.

  7. Choose Create stack to deploy the stack.

  8. Monitor the stack’s status, and when the status is CREATE_COMPLETE, the Linux Bastion Hosts deployment is ready.

  9. To view the created resources, choose the Outputs tab.

Postdeployment steps

Log in to the bastion host. Use one of the following user names, depending on your choice of Linux distribution:

  • Amazon Linux / SUSE Linux Enterprise Server (SLES): ec2-user

  • CentOS: centos

  • Ubuntu: ubuntu

The Linux distribution is specified in the Bastion AMI operating system parameter when you deploy the templates.

Enabling and customizing the Linux bastion host banner

This Quick Start provides the default banner illustrated in Figure 4 for the Linux bastion hosts. The banner is disabled by default. To enable it, set the Bastion banner parameter to true during deployment.

To customize the banner, create an ASCII text file with your own banner content. Then upload it to an S3 bucket or other publicly accessible location, and verify that it is accessible from the host.

Bastion logging

The bastion hosts deployed by this Quick Start provide a command logger in the /var/log/audit/audit.log file. This log file contains the date, SSH client connection IP address, user name, working directory, and the commands issued.

For added security, the contents of the /var/log/audit/audit.log file is also stored in a CloudWatch Logs log group in the AWS Cloud, and remains available in case the bastion hosts fail.

The log includes a history of the commands that are run when you log in. Figure 5 shows an example.

Logging
Figure 5. Bastion logging

To notify your users that all their commands will be monitored and logged, we recommend that you enable the bastion host banner. For more information, see Enabling and Customizing the Linux bastion host banner. The default banner text includes the alert shown in Figure 4, which you can customize.

The bastion.log file is an immutable file that cannot be easily deleted or tampered with. However, in case this happens, there is a shadow file with a copy of bastion.log located in /var/log/audit/audit.log. And, the Quick Start also stores the contents of bastion.log remotely using the CloudWatch Logs service. Log files can be found under CloudWatch Logs using the instance ID as the log stream name.

Remote access

This Quick Start provisions one Linux bastion host in each Availability Zone with a single security group as a virtual firewall. This security group is required for remote access from the Internet if a remote access CIDR block was configured for the deployment. The security group is configured as follows:

Inbound

Source Protocol Ports

Remote access CIDR

TCP

22

Remote access CIDR

ICMP

N/A

Outbound

Destination Protocol Ports

0.0.0.0/0

All

All

For more information, see Internetwork traffic privacy in Amazon VPC.

Troubleshooting

For troubleshooting common Quick Start issues, refer to the AWS Quick Start General Information Guide and Troubleshooting CloudFormation.

FAQ

Q. I encountered a CREATE_FAILED error when I launched the Quick Start.

A. If AWS CloudFormation fails to create the stack, relaunch the template with Rollback on failure set to Disabled. This setting is under Advanced in the AWS CloudFormation console on the Configure stack options page. With this setting, the stack’s state is retained, and you can troubleshoot the issue.

When you set Rollback on failure to Disabled, you continue to incur AWS charges for this stack. Ensure that you delete stack after troubleshooting.

For more information, see Troubleshooting AWS CloudFormation.

Q. I encountered a size-limitation error when I deployed the AWS CloudFormation templates.

A. Launch the Quick Start templates from the links in this guide or from another S3 bucket. If you deploy the templates from a local copy on your computer or from a location other than an S3 bucket, you might encounter template-size limitations. For more information, see AWS CloudFormation quotas.

Q. I changed the instance type parameter after deployment and updated the stack, but the instance types did not change or the Elastic IP addresses were not reassociated after the stack update.

A. Terminate your bastion host instances. They will be replaced by Auto Scaling. A bootstrap action is performed on the new instances to configure security settings and CloudWatch logs and associate Elastic IP addresses.

Resources

Feedback

To submit feature ideas and report bugs, use the Issues section of the GitHub repository for this Quick Start. To submit code, refer to the Quick Start Contributor’s Guide. To submit feedback on this deployment guide, use the following GitHub links:

Notices

This document is provided for informational purposes only. It represents current AWS product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS products or services, each of which is provided "as is" without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at http://aws.amazon.com/apache2.0/ or in the accompanying "license" file. This code is distributed on an "as is" basis, without warranties or conditions of any kind, either expressed or implied. Refer to the License for specific language governing permissions and limitations.