Lab 2: Bastion Host Configuration

• Introduction
• Blueprint
• Elastic IP
• Key Pair
• Security Group
• IAM Policy
• IAM Role
• Launch Template
• Auto Scaling Group
• Private Key Forwarding (Putty/Pageant)

Introduction

In this lab, we will configure a bastion host that is singly redundant by leveraging on auto-scaling group.

A bastion host is a server whose purpose is to provide access to a private network from an external network, such as the Internet. Because of its exposure to potential attack, a bastion host must minimize the chances of penetration.

Blueprint

Elastic IP

An Elastic IP address is a static IPv4 address designed for dynamic cloud computing. By using an Elastic IP address, you can mask the failure of an instance or software by rapidly remapping the address to another instance in your account. An Elastic IP address is allocated to your AWS account, and is yours until you release it.

1) In EC2 service page, navigate to Elastic IPs page and click on Allocate Elastic IP address

2) Use default options (Use Amazon's Pool of IPv4 Addresses) 3) Click "Allocate"

Note: Save the IP Address for accessing the instance and resource ID for cli attachment of elastic IP onto the bastion host later

Key Pair

A key pair, consisting of a private key and a public key, is a set of security credentials that you use to prove your identity when connecting to an instance.

1) In EC2 service page, navigate to Key Pairs page and click on Create Key Pair

2) Tag VPC resource with a name: bastion-keys
3) Select ppk file format
4) Click Create Key Pair

Note: Key pair will be downloaded automatically on your browser, save it for accessing the bastion host later

Security Group

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. They can be attached to certain resources such as EC2 on AWS.

1) In EC2 service page, navigate to Security Group page and click on Create security group

2) Set Security Group Name: Bastion-SecG
3) Set Description: Allows SSH For Bastion Host
4) Under Inbound Rules, Click Add rule
5) Select Type: SSH, Source: Custom 0.0.0.0/0, Note: Best Practice, the source should be set as trusted IPs only.
6) Click Create security group

IAM Policy

A policy defines the AWS permissions that you can assign to a user, group, or role.

In this section, we will create a policy to allow our bastion host to handle ElasticIPs resource

1) In IAM service page, navigate to Policies page and click on Create policy

2) Select the JSON tab, copy and paste the code below into the editor. The following JSON object denotes an Allow for certain actions on other resources (e.g DisassociateAddress)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:ReleaseAddress",
                "ec2:DisassociateAddress",
                "ec2:DescribeNetworkInterfaces",
                "ec2:AssociateAddress",
                "ec2:AllocateAddress"
            ],
            "Resource": "*"
        }
    ]
}

3) Click Review policy

4) Set Name: AllowEC2AccessENI 5) Set Description: To Allow EC2 Instances to access ENI resources 6) Click Create Policy

IAM Role

IAM roles are a secure way to grant permissions to entities that you trust. Examples of entities include the following:

• IAM user in another account
• Application code running on an EC2 instance that needs to perform actions on AWS resources
• An AWS service that needs to act on resources in your account to provide its features
• Users from a corporate directory who use identity federation with SAML

We are going to create a role for our EC2 and attach the previously created policy to it. This will allow any EC2 instances attached with this role to have permission to handle elastic IPs resource

1) In IAM service page, navigate to Roles page and click on Create Role

2) Select Type as AWS service

3) Choose and Select Use Case: EC2 4) Click Next: Permissions

5) Attach Permissions policy: AllowEC2AccessENI

6) Set Role name: Bastion-ENI
7) Set Role description: Allow EC2 Instances to access ENI resources
8) Click Create role

Launch Template

1) In EC2 service page, navigate to Launch Templates page and click on Create launch template

2) Set Launch Template Name: Bastion-Host-Recovery
3) Select AMI: Amazon Linux 2 AMI
4) Select Instance Type: t2.micro

5) Set Key pair: bastion-keys (Previously Created)
6) Set Security Groups Bastion-SecG (Previously Created)

7) Under advanced details, select IAM Instance profile: Bastion-ENI (Previously Created)

User Data

When you launch an instance in Amazon EC2, you have the option of passing user data to the instance that can be used to perform common automated configuration tasks and even run scripts after the instance has started

We will add a script for the launch template to use during automated EC2 instance creation. The script will use AWS CLI to attach an elastic IP to it. This ensures the bastion host that is created to always have the same IP for access

8) Under User data, Add the following script. **Note: Change < Your ElasticIP ID > to your previously created elastic IP's resource ID. **

#!
INSTANCE_ID=`/usr/bin/curl -s http://169.254.169.254/latest/meta-data/instance-id`\
aws ec2 associate-address --instance-id $INSTANCE_ID --allocation-id <Your ElasticIP ID> --allow-reassociation --region ap-southeast-1

9) Click Create launch template

Auto Scaling Group

1) In EC2 service page, navigate to Auto Scaling Group page and click on Create An Auto Scaling group

2) Set Auto Scaling Group name: Bastion-Host-Recovery
3) Select Launch Template: Bastion-Host-Recovery
4) Click Next

5) Select VPC: 3-tier-vpc
6) Select Subnets: public-subnet-1 & public-subnet-2
7) Click Next

8) Leave Options Default
9) Click Next

10) Leave Options Default
11) Click Next

Note: Setting 1/1/1 capacity will ensure there is at least one bastion host up at a time

12) Leave Options Default
13) Click Next

14) Optional to add Tag: Bastion-ASG
15) Click Next

16) Click Create Auto Scaling Group

Private Key Forwarding (Putty/Pageant)

For Secure Connection to Linux Instances Running in a Private Amazon VPC through Bastion Host https://aws.amazon.com/blogs/security/securely-connect-to-linux-instances-running-in-a-private-amazon-vpc/

Download Putty & Pageant: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

You can SSH to any Instances as long as the private key is added into Pageant

1) Open Pageant, add private key (ppk) assigned to EC2 Instances in Launch Template

2) Open Putty, Under Conncetion > SSH > Auth, Allow Agent-forwarding in Putty

3) In Putty, Under Session, Specify Hostname as the ec2-user@{bastion host elastic IP}

4) Click Open