Search for "do I really need a bastion server", or "what is more secure than a bastion host". You will find some interesting articles on why you don’t need them (Linux or Windows).
To me, the idea of a bastion/jump server encourages the "hard shell, soft center" approach to security. Why harden JUST a few servers (the bastion/jump boxes)? AWS provides lots of automation options to manage your environment. There are also readily-available hardened AMI’s from CIS in the AWS MarketPlace, I would postulate that hardening all OS’s is not that complex and also should be a best practice.
I know the AWS exams will only talk about bastion hosts being a good thing, so we do all need to remember that for the exams. Once you have passed the exams I would suggest taking a long look at why you need bastion/jump servers. They add to the list of devices you need to manage. That adds a bit of complexity and cost to your environments. There are many ways to provide the same, if not better, security by not deploying them.
I have not deployed bastion/jump servers at my last two companies. I went with tighter network and firewall rules (NACLs and SGs), and hardened OS’s for all instances, regular (monthly) OS and application security updates, and a lot of logging (Splunk, ELK, DataDog), and of course a gazillion alerts (which does take a long time to tune properly!). With all of this in place, I feel like my environments are more secure and easier to use/manage by removing the added layer of the bastion/jump hosts.
Thanks for listening……
I can bring you few scenarios where you need Bastion:
1. Prod VPC with ALB, app on EC2 instances in private subnets and RDS in private subnet. How you will manage RDS (run SQL queries outside of VPC, add table, drop table, merge etc) ?
2. Prod VPC, with ALB and app running Windows EC2 instances in private subnets. I don’t think you can deploy every single app with power shell.
Automation and Systems Manager can solve a lot of problems but not all.
I tend to agree with you. I still think that it is a good control point, but defence in depth relegated the Bastion to being just one of multiple control points rather that the control point.
I will say that from many small time installations, it is an easy and robust way to start out rather than developing the robust security design and implementation that they should have (but won’t).
Thank you for contributing a different perspective.
Moderator & Coach