Bastion Hosts for Cloud Computing

By Rich

From the Amazon Web Services security blog:

A best practice in this area is to use a bastion. A bastion is a special purpose server instance that is designed to be the primary access point from the Internet and acts as a proxy to your other EC2 instances.

We do some similar things, but these are nice instructions for you Windows folks using RDP. You can also layer on monitoring, as most privileged user management tools do. Keep your eye out for tools that proxy the cloud management plane though – I expect that area to grow quite a bit.

I don’t want to promote any products so I am being a bit cagey, but there is stuff out there, and more coming. For the management plane you need to fully proxy the API calls, which essentially means you need a translation layer to intercept the call with local credentials, analyze the request, then reassemble the API call with valid credentials for the cloud service provider. Unless you can convince Amazon/Rackspace/Microsoft to install a custom proxy in front of their entire service for you, and let you manage through that.

It could happen.

No Related Posts

+1 from the Xceedium team.

We are getting a bunch of inbound requests from our customers—large enterprises—on how the AWS API security features work and what else they need to do to make sure they do their part to protect.  Stay tuned for a few blogs on the topic…

By Patrick McBride

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.