@cfn-modules/ssh-bastion
v1.4.4
Published
SSH bastion (jump server, bastion host) based on Amazon Linux with a fixed public IP address (Elastic IP), running in a 1:1:1 auto scaling group, alerting, and IAM user SSH access.
Downloads
105
Readme
cfn-modules: SSH bastion
SSH bastion (jump server, bastion host) based on Amazon Linux with a fixed public IP address (Elastic IP), running in a 1:1:1 auto scaling group, alerting, and IAM user SSH access.
Install
Install Node.js and npm first!
npm i @cfn-modules/ssh-bastion
Usage
---
AWSTemplateFormatVersion: '2010-09-09'
Description: 'cfn-modules example'
Resources:
Bastion:
Type: 'AWS::CloudFormation::Stack'
Properties:
Parameters:
VpcModule: !GetAtt 'Vpc.Outputs.StackName' # required
AlertingModule: !GetAtt 'Alerting.Outputs.StackName' # optional
HostedZoneModule: !GetAtt 'HostedZone.Outputs.StackName' # optional
KeyName: '' # optional
IAMUserSSHAccess: false # optional
InstanceType: 't2.nano' # optional
LogGroupRetentionInDays: 14 # optional
SubDomainNameWithDot: 'ssh.' # optional
TemplateURL: './node_modules/@cfn-modules/ssh-bastion/module.yml'
Examples
Related modules
none
SSH
Single user: ec2-user
Specify the same KeyName
parameter for the SSH bastion and all other stacks you want to connect to.
Use ssh -J ec2-user@$BastionPublicIpAddress $TargetPrivateIpAddress
and replace $BastionPublicIpAddress
with the PublicIpAddress
output of the SSH bastion module stack; $TargetPrivateIpAddress
with the private IP address of the EC2 instance you want to connect to.
Personalized users (IAMUserSSHAccess := true)
Enable the IAMUserSSHAccess
parameter for the SSH bastion and all other stacks you want to connect to.
Use ssh -J $UserName@$BastionPublicIpAddress $TargetPrivateIpAddress
and replace $UserName
with your IAM user name; $BastionPublicIpAddress
with the PublicIpAddress
output of the SSH bastion module stack; $TargetPrivateIpAddress
with the private IP address of the EC2 instance you want to connect to.
Parameters
Limitations
- Highly available: A single EC2 instance is running at a time (will be automatically replaced in case of failure)
- Scalable: EC2 instances capacity (CPU, RAM, network, ...) is limited by design
- Secure: Root volume is not encrypted at-rest (not possible unless the AMI is encrypted)
- Secure: Root volume it not backed up
- Monitoring: Network In+Out is not monitored according to capacity of instance type