2

Is it possible to set up a bastion host in AWS that would be checking IAM to check if given user can connect to specific EC2 instance?

It might be a bit blurry but the idea is following.

Let's assume that a company has 2 customers and each of them operates on a single EC2 instance. So we have MachineA and MachineB for customers A and B. Then, we also have 3 employees:

  • John - a sysadmin that needs to be able to connect everywhere
  • Steve - developer working on a product for customer A. Clearly he should be able to connect to MachineA only
  • Mary - developer working on a product for customer B. Clearly she should be able to connect to MachineB only

Both machines run in private subnet and connection to them would be possible through a bastion host in public subnet only. Now, would it be possible to configure this bastion so that it would verify user's group in IAM to make sure that this user can connect to a given machine?

So, when Mary connects through SSH to bastion she uses her own identity. There she tries to jump to MachineB so Bastion checks user's credential, verifies that she is in group devsB and allows her to connect but it would refuse to connect if she tried to connect to MachineA for any reason...

Tomasz Kapłoński
  • 153
  • 4

3 Answers3

1

You can utilize AWS System Manager to manage access control to your ec2 instance with IAM.

Henrik Pingel
  • 9,965
0

You can use aws-gate, which combines SSH key upload functionality from EC2 Instance Connect, SSH over SSM tunneling, access is fully managed via IAM policies and uses AWS CloudTrail for auditing.

xenol
  • 1
0

I wouldn’t rely on IAM Group membership as it may be a little challenging to test in the SSH context.

Instead I would give all users SSH access to the bastion host under individual user accounts and only the appropriate users access to each of the customers’ instances.

The simplest way is to add Steve’s public SSH key to MachineA:/home/ec2-user/.ssh/authorized_keys. Similarly Mary’s public key to MachineB.

Then you can use SSH ProxyJump along with SSH Agent to facilitate the access.

Hope that helps :)

MLu
  • 26,247