A Bastion is a single AWS Elastic Cloud Compute (T2.nano) instance that uses the latest Amazon Linux AMI HVM. It acts as a "jump-box" server to provide secure SSH access to private resources inside a Virtual Network.
In a VPC, you indicate which resources have access to the internet by separating them into public and private subnets. This EC2 instance sits in a public subnet and allows authorized SSH-access into resources in your private subnet. The Bastion offers security groups that can be configured to allow specific IP addresses access, and achieve fine-grained security control.
Benefits of using a Bastion:
- Securely connect to private resources without exposing them to the internet
- Assign SSH keys to authorized users
- Can be configured to be highly available with auto scaling groups, multiple availability zones, and elastic IPs
Configure a resilient bastion host using these best practices provided by AWS.
The unique identifier used to reference this resource in the stack template. Defining a custom Logical ID is recommended, as it allows you to quickly identify a resource and any associated sub-resources when working with your stack in AWS, or anywhere outside of the Stackery Dashboard. As a project grows, it becomes useful in quickly spotting this resource in
template.yaml or while viewing a stack in Template View mode.
The Logical ID of all sub-resources associated with this Bastion will be prefixed with this value.
The identifier you provide must only contain alphanumeric characters (A-Za-z0-9) and be unique within the stack.
Default Logical ID Example:
IMPORTANT : AWS uses the Logical ID of each resource to coordinate and apply updates to the stack when deployed. On any update of a resource's logical ID (or any modification that results in one), CloudFormation will delete the currently deployed resource and create a new one in its place when the updated stack is deployed.
SSH Public Keys
The usernames and their associated public keys that will have access to the Bastion server.
When connected by a reference wire (dashed wire), a Function or Docker Task will add the following IAM policy to its role and gain permission to access this resource.
No Permissions Added
When connected by a reference wire (dashed wire), a Function or Docker Task will automatically populate and reference the following environment variables in order to interact with this resource.
No Environment Variables Added.
Related AWS Documentation
AWS Documentation: AWS::EC2::Instance