@cfn-modules/ssh-bastion

SSH bastion (jump server, bastion host) based on Amazon Linux with a fixed public IP address (Elastic IP), running in a 1:1:1 auto scaling group, alerting, and IAM user SSH access.

Usage no npm install needed!

<script type="module">
  import cfnModulesSshBastion from 'https://cdn.skypack.dev/@cfn-modules/ssh-bastion';
</script>

README

cfn-modules: SSH bastion

SSH bastion (jump server, bastion host) based on Amazon Linux with a fixed public IP address (Elastic IP), running in a 1:1:1 auto scaling group, alerting, and IAM user SSH access.

Install

Install Node.js and npm first!

npm i @cfn-modules/ssh-bastion

Usage

---
AWSTemplateFormatVersion: '2010-09-09'
Description: 'cfn-modules example'
Resources:
  Bastion:
    Type: 'AWS::CloudFormation::Stack'
    Properties:
      Parameters:
        VpcModule: !GetAtt 'Vpc.Outputs.StackName' # required
        AlertingModule: !GetAtt 'Alerting.Outputs.StackName' # optional
        HostedZoneModule: !GetAtt 'HostedZone.Outputs.StackName' # optional
        KeyName: '' # optional
        IAMUserSSHAccess: false # optional
        InstanceType: 't2.nano' # optional
        LogGroupRetentionInDays: 14 # optional
        SubDomainNameWithDot: 'ssh.' # optional
      TemplateURL: './node_modules/@cfn-modules/ssh-bastion/module.yml'

Examples

Related modules

none

SSH

Single user: ec2-user

Specify the same KeyName parameter for the SSH bastion and all other stacks you want to connect to.

Use ssh -J ec2-user@$BastionPublicIpAddress $TargetPrivateIpAddress and replace $BastionPublicIpAddress with the PublicIpAddress output of the SSH bastion module stack; $TargetPrivateIpAddress with the private IP address of the EC2 instance you want to connect to.

Personalized users (IAMUserSSHAccess := true)

Enable the IAMUserSSHAccess parameter for the SSH bastion and all other stacks you want to connect to.

Use ssh -J $UserName@$BastionPublicIpAddress $TargetPrivateIpAddress and replace $UserName with your IAM user name; $BastionPublicIpAddress with the PublicIpAddress output of the SSH bastion module stack; $TargetPrivateIpAddress with the private IP address of the EC2 instance you want to connect to.

Parameters

Name Description Default Required? Allowed values
VpcModule Stack name of vpc module yes
AlertingModule Stack name of alerting module no
HostedZoneModule Stack name of module implementing HostedZone no
KeyName Key name of the Linux user ec2-user to establish a SSH connection to the EC2 instance no
IAMUserSSHAccess Synchronize public keys of IAM users to enable personalized SSH access (https://github.com/widdix/aws-ec2-ssh)? false no [true, false]
InstanceType The instance type for the EC2 instance t2.nano no
LogGroupRetentionInDays Specifies the number of days you want to retain log events 14 no [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653]
SubDomainNameWithDot Name that is used to create the DNS entry with trailing dot, e.g. §{SubDomainNameWithDot}§{HostedZoneName}. Leave blank for naked (or apex and bare) domain. Requires HostedZoneModule parameter! test. no

Limitations

  • Highly available: A single EC2 instance is running at a time (will be automatically replaced in case of failure)
  • Scalable: EC2 instances capacity (CPU, RAM, network, ...) is limited by design
  • Secure: Root volume is not encrypted at-rest (not possible unless the AMI is encrypted)
  • Secure: Root volume it not backed up
  • Monitoring: Network In+Out is not monitored according to capacity of instance type