Study Guides > AWS Cybersecurity Notes > Building a Bastion server - Part 9

Bastion hosts

• These act as a jump box.

• Installed on a public subnet.

• The only purpose is to provide access from the private subnet from the internet.

General Bastion Guidance

• Select a minimal operarting system.

• Extra services could provide extra ingress points.

• Limit active services.

• Harden the default OpenSSH configurations

• The configuration file is located in/etc/ssh/sshd_config

• Disable root login.

• Set password autheitcation and idele timeout values to acceptable numbers.

• Make sure uncessary ports are cloded.

• Security groups assgiened to the bastion host should specifiy limited IP ranges.

• (0.0.0.0/0) is wrong specifiy the exact IP range or access.

Other Options

• AWS Session mannager provides bastion as a service.

• No need to install a physical server.

• requires the SSM agent to be registered.

AWS Session Manager

• Provides a more stramiled approach than using a bastion server.

• Offers a web interface.

• Reduces the complexity of installing and securing another server.