AWS is a public cloud so the resources you create in AWS cloud like EC2 instance or RDS Database can be publicly accessible which makes them very susceptible to hacking.
Always best practice is to create a VPC (virtual private cloud) with private and public subnets. Create all your resources like servers and databases in private subnets. When you create a resource in a private subnet, it will have only a private IP and will not be accessible from outside the private network.
Creating a resource in private subnets makes it secure but has two challenges. First is accessing the internet from the server to download libraries, install packages, access S3 or other global services, etc. Secondly, how do we provide access to these servers to administrators or developers to do SSH to check logs or do any kind of maintenance?
The first problem can be solved by configuring the NAT gateway in the private subnet. All resources created in the private subnet would use the NAT gateway to access the internet.
The second challenge of accessing the servers created in the private subnet can be solved in 3 ways
- Jump server or bastion host
- Session Manager of AWS Systems Manager
- VPN solutions
How Jump Server or Bastion Host is Setup
Below is a reference architecture diagram to set up a bastion host to access the ec2 instances, databases, and other resources created in the private subnet.
- An EC2 instance is created in the public subnet and only SSH port (22) is open. Anyone who wants to access the bastion host needs to have a private key.
- Security groups at the Application servers and Database Server instances are enabled to allow the traffic from the bastion host.
- Users can directly configure SSH port forwarding or SSH tunneling in their local system to use the bastion host machine to connect to the database or application server. SSH access tools like putty and Database access clients provide you the option to configure the bastion host / SSH tunneling machine.
Session Manager of AWS Systems Manager
Another alternate way to access private resources in the AWS cloud is by enabling Session Manager. Session manager is an AWS Systems Manager capability to manage your AWS EC2 instances through an interactive one-click browser-based shell.
Session Manager provides secure and auditable instance management without the need to open inbound ports, maintain a bastion host or manage SSH keys.
Benefits of Session Manager
- Centralized access control to instances using IAM policies
- No open inbound ports and no need to manage bastion hosts or SSH keys
- One-click access to instances from the console and CLI
- Port forwarding
- Cross-platform support for Windows, Linux, and macOS
- Logging and auditing session activity
Setting up an VPN solution would ensure only authrized users can access the servers/databases/other resources in the public cloud. Users would first need to authenticate and connect to the VPN.
You can also implement both VPN and Jump host together for additional security measures.