Skip to content

cfn-modules/ssh-bastion

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

34 Commits
.github
.github
 
 
test
test
 
 
.gitignore
.gitignore
 
 
.yamllint
.yamllint
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
module.yml
module.yml
 
 
package.json
package.json
 
 

Repository files navigation

cfn-modules: SSH bastion

SSH bastion (jump server, bastion host) based on Amazon Linux with a fixed public IP address (Elastic IP), running in a 1:1:1 auto scaling group, alerting, and IAM user SSH access.

Install

Install Node.js and npm first!

npm i @cfn-modules/ssh-bastion

Usage

---
AWSTemplateFormatVersion: '2010-09-09'
Description: 'cfn-modules example'
Resources:
  Bastion:
    Type: 'AWS::CloudFormation::Stack'
    Properties:
      Parameters:
        VpcModule: !GetAtt 'Vpc.Outputs.StackName' # required
        AlertingModule: !GetAtt 'Alerting.Outputs.StackName' # optional
        HostedZoneModule: !GetAtt 'HostedZone.Outputs.StackName' # optional
        KeyName: '' # optional
        IAMUserSSHAccess: false # optional
        InstanceType: 't2.nano' # optional
        LogGroupRetentionInDays: 14 # optional
        SubDomainNameWithDot: 'ssh.' # optional
      TemplateURL: './node_modules/@cfn-modules/ssh-bastion/module.yml'

Examples

Related modules

none

SSH

Single user: ec2-user

Specify the same KeyName parameter for the SSH bastion and all other stacks you want to connect to.

Use ssh -J ec2-user@$BastionPublicIpAddress $TargetPrivateIpAddress and replace $BastionPublicIpAddress with the PublicIpAddress output of the SSH bastion module stack; $TargetPrivateIpAddress with the private IP address of the EC2 instance you want to connect to.

Personalized users (IAMUserSSHAccess := true)

Enable the IAMUserSSHAccess parameter for the SSH bastion and all other stacks you want to connect to.

Use ssh -J $UserName@$BastionPublicIpAddress $TargetPrivateIpAddress and replace $UserName with your IAM user name; $BastionPublicIpAddress with the PublicIpAddress output of the SSH bastion module stack; $TargetPrivateIpAddress with the private IP address of the EC2 instance you want to connect to.

Parameters

Name Description Default Required? Allowed values
VpcModule Stack name of vpc module yes
AlertingModule Stack name of alerting module no
HostedZoneModule Stack name of module implementing HostedZone no
KeyName Key name of the Linux user ec2-user to establish a SSH connection to the EC2 instance no
IAMUserSSHAccess Synchronize public keys of IAM users to enable personalized SSH access (https://github.com/widdix/aws-ec2-ssh)? false no [true, false]
InstanceType The instance type for the EC2 instance t2.nano no
LogGroupRetentionInDays Specifies the number of days you want to retain log events 14 no [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653]
SubDomainNameWithDot Name that is used to create the DNS entry with trailing dot, e.g. §{SubDomainNameWithDot}§{HostedZoneName}. Leave blank for naked (or apex and bare) domain. Requires HostedZoneModule parameter! test. no

Limitations

  • Highly available: A single EC2 instance is running at a time (will be automatically replaced in case of failure)
  • Scalable: EC2 instances capacity (CPU, RAM, network, ...) is limited by design
  • Secure: Root volume is not encrypted at-rest (not possible unless the AMI is encrypted)
  • Secure: Root volume it not backed up
  • Monitoring: Network In+Out is not monitored according to capacity of instance type

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

4 stars

Watchers

3 watching

Forks

2 forks
Report repository

Releases

9 tags

Packages

No packages published

Languages