You likely have this setup already. App servers sit in private subnets, the database is locked down, and everything looks good on the diagram until someone needs shell access for a deployment, an emergency config change, or a late-night debug session.
That is where teams make bad security decisions. Someone opens SSH broadly for convenience, adds a temporary public IP to a private instance, or copies private keys onto a server that was never meant to hold them. A proper bastion server aws design prevents that drift.
A bastion host is still one of the clearest patterns for controlled administrative access in AWS. But it is no longer the sole serious option. If you are building this for the first time, you should understand both the classic EC2 bastion model and the modern AWS Systems Manager Session Manager approach before you standardize on either one.
Why a Bastion Host Is Still a Core Security Tool
The most common reason to deploy a bastion is simple. Your private instances should stay private, but engineers still need access.
A backend team might run API servers, workers, and internal tools in private subnets with no public IPs. That is the right default. The problem starts when operations tasks appear: checking logs, running a migration, validating a deployment, or reaching an internal host during an incident.
A bastion host solves that by acting as the one public doorway into an otherwise private environment. Bastion hosts in AWS reduce the network attack surface by limiting public exposure to a single EC2 instance. Instead of hardening dozens of servers, administrators focus on one jump server, a design that aligns with compliance standards like HIPAA and PCI-DSS. This centralization can reduce forensic investigation time by up to 80% compared to sifting through distributed logs, according to MindMesh Academy’s bastion host overview.
What the pattern gets right
The old pattern still works because it is operationally straightforward to reason about.
- One controlled entry point. Security teams know where administrative access starts.
- Cleaner audit boundaries. You can log authentication and shell activity in one place.
- No public IPs on app servers. Your private fleet remains inaccessible from the internet.
- Better fit for traditional SSH workflows. Existing tooling, ProxyJump configs, and terminal habits keep working.
For teams handling credentials and transport security carefully, the same discipline used for SSH access should also apply to application secrets and data exchange. A useful companion read is this overview of asymmetric and symmetric encryption, especially when you are deciding how keys and encrypted channels should be managed across environments.
Tip: A bastion is not “secure” because it exists. It is secure only when it is tightly scoped, patched, logged, and treated as disposable infrastructure.
Where teams get it wrong
Most bastion failures are self-inflicted. The host becomes a permanent pet server. Engineers widen inbound rules for convenience. Keys accumulate. Nobody rotates anything. Then the “secure jump box” turns into the most exposed machine in the account.
The pattern remains valuable. The catch is that it demands discipline.
Designing Your Secure Network Foundation
A secure bastion starts at the VPC layer, not at the EC2 launch screen. If the network layout is sloppy, no amount of SSH hardening will save it.
The reliable layout is straightforward. Put the bastion in a public subnet with a route to an Internet Gateway. Put application servers and databases in private subnets without direct public exposure. Administrative access should flow into the bastion first, then inward to private resources.
If your team wants a broader refresher on how these layers fit into a production stack, this primer on design the system architecture is worth reviewing before you codify the pattern in Terraform or CloudFormation.
The subnet layout that holds up in production
Keep the public side thin.
The public subnet should contain only what must accept internet-originated traffic. In this case, that is the bastion host and whatever supporting route is required for ingress. Your app instances, batch workers, and database tier should remain in private subnets.
A practical layout looks like this:
- Public subnet. Bastion EC2, route to Internet Gateway.
- Private application subnet. API instances, workers, internal admin services.
- Private data subnet. RDS or other stateful services with no internet exposure.
- Separate security boundaries. Different security groups for bastion, app, and database layers.
Security groups matter more than the instance
The bastion security group should be narrow. It should be highly restrictive.
Use inbound SSH only from trusted team-controlled source ranges. Do not allow broad internet access because it is easier during setup. On the private instances, do not allow SSH from the internet at all. Allow it only from the bastion’s security group.
That security-group-to-security-group reference is the cleanest option because it avoids coupling access policy to a single private IP on the bastion.
A production-ready rule set typically follows this pattern:
| Layer | Inbound rule | Why |
|---|---|---|
| Bastion SG | SSH from approved team IP ranges | Limits internet-facing access to known networks |
| App SG | SSH only from bastion SG | Prevents direct internet login to app hosts |
| DB SG | Database port only from app SG or admin path you explicitly approve | Keeps data tier isolated from user entry points |
NACLs should support, not fight, your design
Teams commonly overcomplicate Network ACLs. Use them as a subnet-level backstop, not as the primary access policy engine.
A sane approach is:
- Allow expected inbound and outbound traffic for the bastion subnet.
- Keep private subnet ACLs restrictive, while making sure return traffic is not accidentally blocked.
- Avoid duplicating every security group rule in NACLs unless you have a very specific governance requirement.
Key takeaway: Security groups should express intent. NACLs should enforce broad subnet boundaries. If both are doing the same job, troubleshooting becomes harder than it needs to be.
Common design mistakes
Some network patterns look secure on paper but create operational pain fast.
- Using the default VPC without review. It often carries assumptions you do not want in a hardened environment.
- Putting the bastion in the same trust zone as workloads. Give it a clear role and scope.
- Letting private instances initiate more connectivity than they need. Bastion access should not become a side door for lateral movement.
- Treating the database like another SSH target. Database access should ideally occur through tightly controlled tunnels or managed paths, not by normalizing direct shell habits.
The best bastion designs feel boring. That is a good sign. Predictable layouts are easier to secure, automate, and troubleshoot.
Deploying and Configuring the EC2 Bastion Host
Once the network is right, the EC2 bastion itself should stay minimal. This is not a workstation, a build runner, or a place to stash scripts. It is a controlled gateway.
For many first deployments, Amazon Linux is a practical choice because it aligns with AWS tooling and common operational docs. A small burstable instance such as t3.micro is often enough for a modest team, and the verified pricing references for bastion discussions frequently use that size as the baseline.
Launch choices that avoid future cleanup
Keep the launch configuration plain and intentional.
- AMI. Use the latest stable Amazon Linux image your organization approves.
- Instance type. Start small unless you already know session volume requires more.
- Public placement. Put the host in the dedicated public subnet.
- Public addressing. Attach an Elastic IP so your team and firewall rules do not chase a moving target.
- Storage. Use encrypted EBS and keep the volume small.
The bastion should not carry application code, long-lived user files, or copied SSH private keys. The cleaner it is, the safer replacement becomes.
A short visual walkthrough can help if you are doing this in the console for the first time:
Baseline hardening on first boot
User data is the easiest place to enforce the first layer of hardening. Use it to apply updates and tighten SSH behavior before anyone starts treating the instance as shared infrastructure.
A typical first-boot hardening script should handle these basics:
- Install security updates
- Disable password authentication
- Disable direct root login
- Set SSH idle timeouts
- Install logging or monitoring agents if your environment requires them
An example outline looks like this:
- Update packages on boot.
- Edit
sshd_configto disable password auth. - Restrict root login.
- Restart the SSH service.
- Enable whatever centralized log shipping your team uses.
Access patterns that do not leak keys
Do not copy private keys onto the bastion. That habit survives longer than people expect.
Use SSH agent forwarding or a properly defined local SSH config with a jump host. The private key stays on the engineer’s machine, and the bastion brokers the connection rather than becoming a credential storage point.
A practical local SSH config frequently includes:
- A bastion host entry with the Elastic IP and approved identity file
- Private host entries that route through the bastion with ProxyJump
- ForwardAgent only where needed, not globally
Tip: If you need to grant temporary access to a contractor or responder, time-box the SSH path and review whether Session Manager would give you tighter control with less cleanup.
Logging and accountability
If the bastion is your administrative choke point, it should also be your most observable Linux host.
At minimum, collect:
- Authentication logs
- Session activity where policy allows it
- OS-level events
- Cloud-side metadata such as instance lifecycle and security-group changes
Significant operational value shows up during an incident. Instead of searching across many instances first, the team can start with the one entry system that all privileged access should pass through.
What does not work well
A few patterns create trouble quickly:
- Long-lived snowflake bastions. Rebuildable is better than lovingly maintained.
- Wide-open SSH rules. If everyone can reach the host from everywhere, the bastion becomes just another exposed server.
- Shared user accounts. Named access is easier to audit and revoke.
- Manual drift. If launch settings, users, or packages are managed by hand, your secure baseline erodes over time.
The classic EC2 bastion is still valid. It just needs to be treated like infrastructure with a sharply defined purpose, not a convenience box.
The Modern Alternative AWS Systems Manager Session Manager
If you were starting from scratch today, the first question should not be “How do we build a bastion?” It should be “Do we need one at all?”
AWS Systems Manager Session Manager changes the model. Instead of exposing a hardened EC2 jump host on SSH, you connect to instances through AWS-managed control paths. No inbound port is required on the target instance. Not even port 22.
That alone removes a category of risk that every traditional bastion has to manage forever.
Why Session Manager changes the conversation
The strongest argument for Session Manager is not convenience. It is the security posture.
The verified AWS guidance behind this migration pattern highlights that SSM eliminates open inbound ports and can cut costs by avoiding a dedicated EC2 instance, saving about $10 to $20 per month for a t3.micro. The same source also notes anecdotal developer-forum evidence that 70% of users stick to bastions due to unfamiliarity with modern patterns, as summarized in this AWS Prescriptive Guidance pattern for Session Manager and EC2 Instance Connect.
Many teams experience this in practice. They keep the bastion because everyone understands SSH, not because it is the strongest long-term choice.
EC2 bastion versus Session Manager
Here is a comparison teams often consider before deciding.
| Feature | EC2 Bastion Host | SSM Session Manager |
|---|---|---|
| Public exposure | Requires a public-facing entry point | No inbound ports required |
| Access control | Commonly SSH key based plus network rules | IAM-controlled access |
| Key handling | SSH key lifecycle must be managed carefully | Avoids normal bastion key distribution patterns |
| Audit path | Logging must be configured deliberately on the host | Integrates with AWS-native session controls and logging paths |
| Infrastructure cost | Dedicated EC2 instance runs as the jump point | No separate bastion instance required |
| Legacy compatibility | Works well with existing SSH-heavy workflows | Best where teams can align on AWS-native access patterns |
When the old model still wins
Session Manager is not automatically the right answer for every stack.
Choose a traditional bastion when:
- Your tooling assumes direct SSH behavior
- You support legacy automation that is difficult to retrofit
- Your team needs a familiar jump-host pattern right now
- You have a compliance or operational requirement built around a controlled intermediary host
Choose Session Manager when:
- You want no inbound administrative ports
- You prefer IAM over scattered SSH key workflows
- You are standardizing on AWS-native operational controls
- You want to reduce the care and feeding of another EC2 instance
Key takeaway: Bastions centralize risk into one hardened host. Session Manager removes that host from the path entirely.
A practical decision framework
Use these questions in architecture review:
- Do engineers need raw SSH, or do they need shell access with auditability?
- Can your access policy live comfortably in IAM?
- Will your private instances consistently run the SSM agent and required role configuration?
- Is the team prepared to migrate habits, not just infrastructure?
That last point matters most. Session Manager frequently loses not because it is weaker, but because teams do not want to retrain muscle memory around access patterns.
For greenfield environments, I would strongly consider Session Manager first. For legacy environments, I would often keep the bastion temporarily, then reduce dependence on it over time.
Advanced Hardening Automation and Cost Optimization
A bastion that is secure on launch day but unmanaged afterward is not a mature solution. The durable pattern is automation plus strict operational boundaries.
The easiest way to enforce that is to build the bastion with Infrastructure as Code. Whether your team uses Terraform or CloudFormation matters less than one rule: the bastion should be recreated from code, not hand-tuned in the console.
Automate the host so drift stays visible
A good bastion module typically defines:
- The EC2 instance
- The security group with tightly scoped ingress
- The Elastic IP
- Instance profile or IAM role
- Bootstrap user data
- Log integration
Keep the module small. If your bastion template starts growing into a general-purpose server definition, split responsibilities back out.
A lightweight Terraform shape might include resources for the instance, security group, and EIP, plus variables for allowed SSH source ranges and subnet placement. The important part is not the syntax. It is that every change becomes reviewable.
Hardening that teams maintain
Most hardening guides fail because they propose controls nobody maintains after day one.
Focus on controls with operational staying power:
- Least-privilege IAM role. Give the bastion only what it needs for logging and management.
- Shell history and auth logs sent to CloudWatch Logs. Centralized records matter more than perfect local retention.
- Regular rebuilds. Immutable replacement beats years of manual cleanup.
- MFA and source restriction for anyone reaching the host. The bastion should never be the easy path.
For environments moving toward broader distributed systems patterns, cloud native architecture thinking helps. Disposable infrastructure, declarative setup, and centralized observability are better fits than pet servers with tribal knowledge attached.
Tip: The best bastion is one your team can replace quickly without opening a ticket, hunting for an old key, or guessing which manual edits were important.
Cost control for real teams
A bastion is typically cheap until nobody pays attention to it. Then it becomes one additional always-on box, frequently oversized, frequently underused.
Verified guidance on this topic is more useful than most tutorials. Many guides overlook dynamic provisioning for bastion hosts; while a t3.micro at about $7 per month works for small teams, costs can escalate without Auto Scaling Groups. Using ASGs and Lambda for on-demand provisioning can reduce idle bastion costs by 60% to 80%, addressing overspend found in 25% of audited AWS accounts, according to this Dev.to discussion of bastion host operations and scaling.
That matters because bastions are bursty by nature. Many teams need them during office hours, release windows, or incidents. They do not need them serving idle CPU cycles around the clock.
A practical cost pattern looks like this:
| Optimization move | Operational effect |
|---|---|
| Scheduled availability | The bastion exists only when teams are likely to need it |
| On-demand scaling trigger | Temporary access windows can bring it up when required |
| Small default instance size | Reduces waste when the box is lightly used |
| Rebuild instead of maintain | Limits the hidden labor cost of patching drifted hosts |
Where optimization can backfire
Do not optimize the bastion into unreliability.
Avoid these traps:
- Aggressive shutdown schedules without an emergency path
- Overcomplicated bootstrap logic that delays readiness
- Too many coupled dependencies for a host whose job is simple
- Saving a few dollars while making incident access harder
A hardened bastion should be cheap, automated, and boring. If it becomes clever, it typically becomes fragile.
Troubleshooting Common Bastion Host Issues
Most bastion failures come down to three areas: network path, SSH auth, or hop configuration.
Connection timed out
If the first SSH connection to the bastion hangs, start with the public path.
Check these in order:
- Security group inbound rule. Confirm SSH is allowed from the approved source range you are connecting from.
- Public subnet route table. Make sure the subnet used by the bastion has a route to the Internet Gateway.
- Network ACL behavior. Verify the subnet ACL is not blocking inbound SSH or the related return traffic.
- Elastic IP association. Confirm you are connecting to the correct public address.
If all four look right, verify the instance is in the expected subnet and state.
Permission denied publickey
This typically means the server rejected your key or your client never offered the correct one.
Work through the basics:
- Confirm the local private key file permissions are restrictive
- Check you are using the intended username for the AMI
- Verify the matching public key is present on the host
- Make sure your SSH client is loading the correct identity
If you use multiple keys locally, force the client to present the one you intend rather than letting it guess.
Agent forwarding problems
The second hop, from bastion to private instance, often fails because forwarding is not enabled.
Check for these issues:
- Local agent not loaded. Add the key to your local SSH agent first.
- ForwardAgent not enabled. Set it in your SSH config or connection command when needed.
- Private instance security group. Confirm it allows SSH from the bastion security group.
- Key mismatch on the private target. The forwarded identity still must match an authorized key there.
Tip: If agent forwarding becomes a recurring support issue across the team, that is frequently a sign to evaluate Session Manager for day-to-day access.
A strong bastion setup should be simple to diagnose. If troubleshooting always turns into archaeology, the design needs cleanup, not better runbooks.
Backend Application Hub publishes practical backend engineering guides for teams making architecture, security, and tooling decisions. If you want more implementation-focused content on backend systems, DevOps workflows, API security, and framework trade-offs, explore Backend Application Hub.
Add Comment