Drop the bastion in the clouds (AWS, Azure (kinda), and GCP)

Amazon Web Services (AWS)

For AWS, they offer a service called Systems Manager. This management service helps you automatically collect software inventory, apply patches, create system images, and configure Windows and Linux operating systems. This service called also be used to SSH into your hosts. With the Systems Manager agent installed on the host, you can ssh into a host just using the CLI without the need to maintain a security group.

sorry for the bad graphic :(
# session manager plugin install
curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/mac/sessionmanager-bundle.zip" -o "sessionmanager-bundle.zip"
unzip sessionmanager-bundle.zip
sudo ./sessionmanager-bundle/install -i /usr/local/sessionmanagerplugin -b /usr/local/bin/session-manager-plugin
aws ssm start-session — target <instance_id>
Starting session with SessionId: <instance_id>
sh-4.2$ echo "success!"
Totally didn’t steal this from their docs…
Didn’t steal this from their docs either…
  • Enable the service under Security > Identity-Aware Proxy
  • This will load an OAuth consent screen for users which you need fill out (just needs an App name, then save). You can set OAuth grant token limits, API Scopes, authorized domains, and even a logo here. Up until recently, this process was completely manual. GCP now offers a way to programming complete this step.
  • Depending on your setup, you need to an ingress firewall rule for 35.235.240.0/20 on ssh (22) and/or rdp (3389) which used by IAP for TCP Forwarding. You can use network tags here or all instances in the VPC for VMs in scope.
  • Ensure your user has the role IAP-secured Tunnel User and can at least see the compute resources (computer viewer)
  • You’ll need to add the flag tunnel-through-iap when you use gcloud to SSH into the host.
gcloud compute ssh <instance_id> --zone <instance_zone> --tunnel-through-iap

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store