README
cfn-modules: SSH bastion
SSH bastion (jump server, bastion host) based on Amazon Linux with a fixed public IP address (Elastic IP), running in a 1:1:1 auto scaling group, alerting, and IAM user SSH access.
Install
Install Node.js and npm first!
npm i @cfn-modules/ssh-bastion
Usage
---
AWSTemplateFormatVersion: '2010-09-09'
Description: 'cfn-modules example'
Resources:
Bastion:
Type: 'AWS::CloudFormation::Stack'
Properties:
Parameters:
VpcModule: !GetAtt 'Vpc.Outputs.StackName' # required
AlertingModule: !GetAtt 'Alerting.Outputs.StackName' # optional
HostedZoneModule: !GetAtt 'HostedZone.Outputs.StackName' # optional
KeyName: '' # optional
IAMUserSSHAccess: false # optional
InstanceType: 't2.nano' # optional
LogGroupRetentionInDays: 14 # optional
SubDomainNameWithDot: 'ssh.' # optional
TemplateURL: './node_modules/@cfn-modules/ssh-bastion/module.yml'
Examples
Related modules
none
SSH
Single user: ec2-user
Specify the same KeyName
parameter for the SSH bastion and all other stacks you want to connect to.
Use ssh -J ec2-user@$BastionPublicIpAddress $TargetPrivateIpAddress
and replace $BastionPublicIpAddress
with the PublicIpAddress
output of the SSH bastion module stack; $TargetPrivateIpAddress
with the private IP address of the EC2 instance you want to connect to.
Personalized users (IAMUserSSHAccess := true)
Enable the IAMUserSSHAccess
parameter for the SSH bastion and all other stacks you want to connect to.
Use ssh -J $UserName@$BastionPublicIpAddress $TargetPrivateIpAddress
and replace $UserName
with your IAM user name; $BastionPublicIpAddress
with the PublicIpAddress
output of the SSH bastion module stack; $TargetPrivateIpAddress
with the private IP address of the EC2 instance you want to connect to.
Parameters
Name | Description | Default | Required? | Allowed values |
---|---|---|---|---|
VpcModule | Stack name of vpc module | yes | ||
AlertingModule | Stack name of alerting module | no | ||
HostedZoneModule | Stack name of module implementing HostedZone | no | ||
KeyName | Key name of the Linux user ec2-user to establish a SSH connection to the EC2 instance | no | ||
IAMUserSSHAccess | Synchronize public keys of IAM users to enable personalized SSH access (https://github.com/widdix/aws-ec2-ssh)? | false | no | [true, false] |
InstanceType | The instance type for the EC2 instance | t2.nano | no | |
LogGroupRetentionInDays | Specifies the number of days you want to retain log events | 14 | no | [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653] |
SubDomainNameWithDot | Name that is used to create the DNS entry with trailing dot, e.g. §{SubDomainNameWithDot}§{HostedZoneName}. Leave blank for naked (or apex and bare) domain. Requires HostedZoneModule parameter! | test. | no |
Limitations
- Highly available: A single EC2 instance is running at a time (will be automatically replaced in case of failure)
- Scalable: EC2 instances capacity (CPU, RAM, network, ...) is limited by design
- Secure: Root volume is not encrypted at-rest (not possible unless the AMI is encrypted)
- Secure: Root volume it not backed up
- Monitoring: Network In+Out is not monitored according to capacity of instance type