AWS Security Essentials – Securing Connections with a Bastion Host
This activity allows the student to gain experience designing and implementing a secure bastion host solution. A bastion host is a server whose purpose is to provide a private connection to your private infrastructure in AWS from an external or public network. The Bastion Host provides an extra layer of security for your private infrastructure at all times. In this Learning Activity, we will setup a Bastion Host and learn how to establish a secure connection.
Securing Connections with a Bastion Host
In this lab, we implement a bastion host for increased security; specifically, we want to ensure the security groups are configured for optimum security. The pre-provisioned setup includes three EC2 instances with four subnets (one instance in each subnet, with a fourth, empty instance). Our subnets are BastionHost1, BastionHost2, and PrivateInstance. The lab environment also included two premade security groups, Bastion and Private; neither of these groups contain any rules.
Before getting started, make sure you're logged in to the AWS web console and have selected the N. Virginia region (us-east-1).
Configure Security Groups
Navigate to EC2 from the services menu and select Security Groups from the menu on the left side of the page. We'll see two named security groups, Bastion and Private , in the top panel.
Select the Bastion security group, click the Inbound tab in the lower panel, and click Edit to modify its inbound rules. Create a rule with the type SSH, and a source of Anywhere. Click Save.
Next, select the Private security group, click the Inbound tab in the lower panel, and click Edit to modify its inbound rules. Create a rule with the type SSH, but this time, choose Custom from the source dropdown menu. In the text field, enter the group ID of the Bastion security group (this can be found in the top panel on the page or selected from a contextual menu that appears when we begin typing). In the description field, enter "from Bastion SG" to indicate that traffic is coming from the bastion host's security group. Click Save.
Navigate to Instances on the menu on the left side of the page. We'll see three instances provisioned: two bastion hosts and one private instance.
Connecting from BastionHost1
Select the BastionHost1 instance. In the lower panel, copy the IPv4 public IP address to your clipboard. Open a terminal window on your computer and connect to the instance via SSH:
$ ssh email@example.com
Be sure to replace the IP address above with the one you copied. The password to log in can be found on the lab page, along with AWS credentials for this lab.
Now that we're connected to the bastion host, we'll make sure it can connect to the private instance. From the Instances page in the AWS console, select PrivateInstance from the list in the top panel. Below, copy its private IP address to your clipboard.
Go back to the terminal window, where we're still logged in to the bastion host. From the bastion host, connect to the private instance via SSH:
$ ssh firstname.lastname@example.org
Replace the IP address in the command above with the IP address you copied for the private instance. The password to log in can be found on the lab page with the other credentials for this lab. If the security groups have been properly configured, we should be able to log in successfully.
Disconnect from all instances before starting the next steps.
Connecting with BastionHost2
Next, we'll check whether we can get to the private instance from our second bastion host. Select BastionHost2 from the Instances list and copy its IPv4 public IP address from the description.
Return to the terminal and connect to the second bastion host, using its IP and the credentials provided on the lab page:
$ ssh email@example.com
In the AWS console, select the PrivateInstance again and copy its private IP address. Go back to the terminal, where you should still be logged in to the second bastion host. Connect to the private instance using its IP address:
$ ssh firstname.lastname@example.org
This time, the connection will fail. The BastionHost2 instance is part of a different security group that isn't allowed to connect to the private instance. To see more details, we can check which security group the second bastion host uses in its description on the Instances page.
Changing Security Groups
To fix this problem, we can change the security group for BastionHost2.
Select Security Groups from the menu on the left side of the AWS console. Look for the Bastion security group (the same one we modified before) in the list within the top panel. Take note of the first four-five digits following "sg-" in its group ID.
Go back to the Instances section from the menu on the left side of the AWS console. Select the BastionHost2 instance and click Actions at the top of the page. From this menu, select Networking, then select Change Security Groups. Check the box corresponding with the Bastion security group (we can check the first few digits to see which one it is). Also uncheck the box that was selected by default. Click Assign Security Groups.
Now we can return to the terminal, where we're still logged in to BastionHost2. Use the "up" arrow key to find the SSH command that connects to the private instance. This time, we'll be prompted to enter the password and connect to PrivateInstance
In this lab, we learned how to connect to a private instance from a bastion host. We also learned how to troubleshoot a bastion host that has been configured with an improper security group.
Congratulations! You've completed the lab on securing connections with a bastion host! You can now mark this lab complete and continue with the rest of the course.