Run Bastions on Demand to Access Your AWS VPCs

Any time you have a VPC, you’ll likely need some way to gain access to the resources within the VPC from your local box. Typically, the way to do that is to run a bastion (or jumpbox) which you and your team can SSH into. The downside is that you are exposing an entry point into your network that is accessible by multiple people and running 24×7. And depending on how you manage permissions, you may not be able to restrict access to the box via IAM. Obviously, this is not ideal.

Luckily, we have Fargate.

With Fargate, we no longer need to maintain permanent bastion instances—we can create bastions when needed and tear them down when no longer in use. We can lock down bastion instances to an individual user both in terms of SSH keys and IP address. And we can restrict access via IAM to both the API used to manage bastions and to which SSH keys are used to log into an instance.

All in all, we save on infrastructure spend while reducing our attack surface.

Bastions on Demand :: The Consulting CTO

This looks like an intriguing solution to a problem that has bothered me for years. Running sshd provides an attack surface for bad actors just because it’s there. Ideally you should never expose the ssh port to the public network, even if it is well secured. Bastion hosts are a well known solution to this but one that is often not implemented for one reason or another. Turning it inot a service seems like a good idea.