📖 What is Bastion Host?
A Bastion Host is a hardened server deployed within a VPC to provide secure, controlled access to resources in private subnets. It acts as a single point of entry, mitigating exposure of internal instances directly to the internet and enforcing strict access controls via SSH or RDP.
"Understand the architectural pattern of placing a Bastion Host in a public subnet. Exam questions frequently test the ability to differentiate its function from a VPN or proxy server. It's a security best practice, not a core AWS service with extensive configuration options."
📚 Certification: AWS Certified Solutions Architect - Associate (SAA-C03)
🔑 What are the Key Concepts of Bastion Host?
- ▸ Bastion Hosts reside in public subnets, allowing inbound SSH/RDP access while protecting private subnet resources.
- ▸ They enforce multi-factor authentication (MFA) and strict IP whitelisting for enhanced security and access control.
- ▸ Bastion Hosts are typically hardened – meaning they have minimal software installed and are regularly patched.
- ▸ They are not a core AWS service; you create them using standard EC2 instances and security group configurations.
- ▸ Using a Bastion Host is a key component of a zero-trust security model, limiting network exposure.
🎯 How does Bastion Host appear on the SAA-C03 Exam?
You may be asked to identify the best method for a developer to securely access a database server residing in a private subnet without exposing it directly to the internet.
A scenario might describe a security audit finding that internal instances are directly accessible from the internet – determine how to remediate this using a Bastion Host.
Expect questions about choosing between a Bastion Host, a VPN, and AWS Systems Manager Session Manager for secure remote access.
❓ Frequently Asked Questions
When would you choose a Bastion Host over AWS Systems Manager Session Manager?
Session Manager doesn't require open inbound ports, but a Bastion Host is useful when you need to use existing SSH/RDP tools or for legacy applications that don't support Session Manager.
What security group rules are essential for a Bastion Host?
Allow SSH (port 22) or RDP (port 3389) inbound only from your known IP address or a jump host. Outbound should be restricted to only necessary destinations.
Can a Bastion Host be used for all remote access needs?
While secure, Bastion Hosts require management and patching. Consider Session Manager for simplified access and reduced operational overhead where applicable.