AWS Bastion Hosts: What They Are and How They Work

Arjun is a Cloud Security Engineer who is setting up a production-grade AWS architecture. His EC2 instance holds critical data, so he places it inside a private subnet — completely isolated from the internet.

But then...
He needs to SSH into that instance to perform updates.
Except — it’s private.
No internet. No public IP. No direct access. ❌

Arjun asks:

“How do I securely reach this EC2 inside a private subnet?”

🚪 Enter: The Bastion Host (aka Jump Box)

📖 Definition:

A Bastion Host (also called a Jump Server or Jump Box) is a special EC2 instance deployed in a public subnet that acts as a controlled entry point into a private network or subnet.

🔍 Why Do We Need a Bastion Host?

🔒 Private subnets are intentionally cut off from direct access to the internet.
🚫 No public IP = No SSH from outside.
✅ So, a Bastion Host becomes your middleman: it sits in the public subnet, and you SSH into it first. From there, you “jump” into your private EC2.

That’s why it’s often called a Jump Server.

💡 Conceptual Breakdown

Component	What It Does
Public Subnet	Has internet access (via Internet Gateway)
Bastion Host	EC2 instance in public subnet, with a public IP
Private Subnet	No internet, EC2s here are not reachable from the outside
SSH Flow	Your machine → Bastion → Private EC2

The Bastion Host is the only exposed node that lets trusted admins into your private environment.

🧱 Arjun’s Secure Setup

🛡️ Security Group Rules

Instance	Inbound Rule
Bastion Host	Allow SSH (port 22) from your IP only
Private EC2	Allow SSH (port 22) from Bastion Host's Security Group

✅ This ensures that only authorized IPs can reach the Bastion, and only the Bastion can reach the private EC2.

👨‍💻 Arjun’s SSH Process

# Step 1: Connect to Bastion Host (has public IP)
ssh -i bastion-key.pem ec2-user@<bastion-public-ip>

# Step 2: From Bastion, connect to private EC2 (uses private IP)
ssh -i ec2-key.pem ec2-user@<private-ec2-private-ip>

Now Arjun is safely inside the private EC2 instance — without exposing it to the public internet.

🔐 Bastion Host: Key Security Principles

Security Principle	Implementation Tip
Least Privilege	Only admins get SSH access to the Bastion Host
IP Whitelisting	Restrict inbound access to trusted IPs
Temporary Use	Turn off Bastion when not in use
No Internet for Private EC2	Never assign public IPs to private EC2s
Audit Trail	Use CloudTrail or EC2 logging agents for access tracking

📘 AWS SAA Exam Tips

These points are often seen in the AWS Certified Solutions Architect Associate exam:

Bastion host = jump box into private subnet
Must be in a public subnet
Private EC2 must allow SSH from bastion's security group, not from internet
Do not expose private EC2s to the internet
Better practice: Use SSM Session Manager for improved access management (no SSH at all)

🧠 AWS SAA Exam Takeaways

Topic	What You Must Know
Bastion Host Purpose	Secure SSH into private EC2s
Deployment	EC2 in public subnet, with Internet Gateway
Security Group for Bastion Host	Allow SSH only from specific IPs
Security Group for Private EC2	Allow SSH only from Bastion Host (SG or IP)
Alternative	AWS Systems Manager Session Manager (no SSH!)

⚖️ Bastion Host vs. Other Access Methods

Method	SSH Required?	Public IP Needed?	Secure?
Bastion Host	✅	✅ (for Bastion)	✅ If configured properly
Direct SSH (public IP)	✅	✅	❌ (Risky)
SSM Session Manager	❌	❌	✅✅ (Best Practice)

🎯 Final Thoughts from Arjun

“Don’t expose what you can protect.
Bastion hosts give you access with a layer of control—
but only if you configure them right.”

💬 Bonus Question: Why Not Just Give a Public IP to Private EC2?

Because then it's no longer private.
It breaks your security design.
Your private subnet becomes exposed.

Bastion Host keeps your design clean and secure — one entry, one exit.