Coding w/ Cody

Deploying a Bastion Host on AWS with Terraform

Written on February 25th, 2025 by Cody Snider

Why You Need a Bastion Host

If you’re managing infrastructure on AWS, you don’t want to expose every EC2 instance to the open internet. That’s just asking for trouble. Instead, you set up a bastion host—a small, hardened instance that acts as the only entry point for SSH access. This keeps your private instances safe while still allowing admin access when needed.

Benefits:

  • Security: Limits SSH access to a single, monitored entry point.
  • Simplicity: Avoids opening SSH on multiple instances.
  • Auditability: Logs access attempts in one place.
  • Compliance: Helps meet security best practices.

Now, let’s build one using Terraform.

Terraform Code for a Bastion Host

Here’s a simple Terraform setup to deploy a bastion on AWS.

1. EC2 Instance for Bastion

resource "aws_instance" "bastion" {
  ami                         = "ami-0dc2d3e4c0f9ebd18"  # Amazon Linux 2 (check for latest)
  instance_type               = "t3.micro"  # Small but functional
  key_name                    = "your-key-name"  # Your SSH key
  subnet_id                   = module.vpc.public_subnet_ids[0]
  associate_public_ip_address = true  # Needs public IP for access

  root_block_device {
    volume_size = 8
    volume_type = "gp2"
  }

  tags = {
    Name = "bastion"
  }

  vpc_security_group_ids = [aws_security_group.bastion_sg.id]
}

👉 What’s happening?

  • We create a lightweight t3.micro instance.
  • It gets a public IP so you can SSH into it.
  • It uses an existing SSH key (pix-master).
  • Storage is kept minimal (8GB gp2).

2. Security Group for SSH Access

resource "aws_security_group" "bastion_sg" {
  name        = "bastion_sg"
  description = "Allow SSH access to bastion host"
  vpc_id      = module.vpc.vpc_id

  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]  # ⚠️ Change this! Limit to your IP or VPN
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

👉 Security Notes:

  • This allows SSH from anywhere (0.0.0.0/0)—DO NOT leave it like this in production!
    • Change it to your IP: cidr_blocks = ["your.ip.here/32"]
    • Or, use a VPN/office range.

Using the Bastion Host

1. Connect via SSH

Once the bastion is deployed, connect to it:

ssh -i ~/.ssh/your-ssh-key ec2-user@BASTION_PUBLIC_IP

2. Access Private Instances

From the bastion, SSH into private instances:

ssh -i ~/.ssh/private-key.pem private-user@PRIVATE_IP

Or, if you set up an SSH agent:

ssh-add ~/.ssh/private-key.pem
ssh private-user@PRIVATE_IP

Making It More Secure

  • Lock Down SSH Access: Restrict to specific IPs.
  • Use AWS Systems Manager (SSM) Instead: SSM Session Manager lets you SSH without opening any ports.
  • Monitor Logs: Set up CloudWatch Logs to track access.

Final Thoughts

A bastion host is a must-have if you’re managing AWS resources. With Terraform, you can deploy it quickly and securely. Just don’t forget to tighten SSH rules and consider more advanced access methods like AWS SSM.

🚀 Now go lock down your AWS infrastructure!