AWS Security Essentials - Securing Connections with a Bastion Host

Navigate to EC2 from the services menu and select Security Groups from the menu on the left side of the page. We'll see two named security groups, Bastion and Private , in the top panel.

Select the Bastion security group, click the Inbound tab in the lower panel, and click Edit to modify its inbound rules. Create a rule with the type SSH, and a source of Anywhere. Click Save.

Next, select the Private security group, click the Inbound tab in the lower panel, and click Edit to modify its inbound rules. Create a rule with the type SSH, but this time, choose Custom from the source dropdown menu. In the text field, enter the group ID of the Bastion security group (this can be found in the top panel on the page or selected from a contextual menu that appears when we begin typing). In the description field, enter "from Bastion SG" to indicate that traffic is coming from the bastion host's security group. Click Save.

Navigate to Instances on the menu on the left side of the page. We'll see three instances provisioned: two bastion hosts and one private instance.

Select the BastionHost1 instance. In the lower panel, copy the IPv4 public IP address to your clipboard. Open a terminal window on your computer and connect to the instance via SSH:

$ ssh cloud_user@<IPv4 Public IP>

Be sure to replace the IP address above with the one you copied. The password to log in can be found on the lab page, along with AWS credentials for this lab.

Now that we're connected to the bastion host, we'll make sure it can connect to the private instance. From the Instances page in the AWS console, select PrivateInstance from the list in the top panel. Below, copy its private IP address to your clipboard.

Go back to the terminal window, where we're still logged in to the bastion host. From the bastion host, connect to the private instance via SSH:

$ ssh cloud_user@<Private IP>

Replace the IP address in the command above with the IP address you copied for the private instance. The password to log in can be found on the lab page with the other credentials for this lab. If the security groups have been properly configured, we should be able to log in successfully.

Disconnect from all instances before starting the next steps.

Next, we'll check whether we can get to the private instance from our second bastion host. Select BastionHost2 from the Instances list and copy its IPv4 public IP address from the description.

Return to the terminal and connect to the second bastion host, using its IP and the credentials provided on the lab page:

$ ssh cloud_user@<IPv4 Public IP>

In the AWS console, select the PrivateInstance again and copy its private IP address. Go back to the terminal, where you should still be logged in to the second bastion host. Connect to the private instance using its IP address:

$ ssh cloud_user@<Private IP>

This time, the connection will fail. The BastionHost2 instance is part of a different security group that isn't allowed to connect to the private instance. To see more details, we can check which security group the second bastion host uses in its description on the Instances page.

To fix this problem, we can change the security group for BastionHost2.

Select Security Groups from the menu on the left side of the AWS console. Look for the Bastion security group (the same one we modified before) in the list within the top panel. Take note of the first four-five digits following "sg-" in its group ID.

Go back to the Instances section from the menu on the left side of the AWS console. Select the BastionHost2 instance and click Actions at the top of the page. From this menu, select Networking, then select Change Security Groups. Check the box corresponding with the Bastion security group (we can check the first few digits to see which one it is). Also uncheck the box that was selected by default. Click Assign Security Groups.

Now we can return to the terminal, where we're still logged in to BastionHost2. Use the "up" arrow key to find the SSH command that connects to the private instance. This time, we'll be prompted to enter the password and connect to PrivateInstance.