Hey guys, does anyone have an idea about the best architecture to adopt to prevent unauthorized access to AWS infra? I can think of openvpn (2FA + user list control) + whitelisting to bastion host and then SSH to the private subnet using a pem key. I did not implement this, this is what my company had at that time. I am not sure if this is the best method or if there are best practices out there.

The company architecture has a sound security model. I usually allow SSH if they are connected over the VPN

We recently disabled all SSH access to our EC2 instances, closed port 22 and started using Session Manager to connect, where the users connect using their IAM users / appropriate roles. This removes the need for a bastion host (even whitelisting may not be needed), managing pem keys, and gives an audit trail in the logs. Another best practice that we adopted few months ago is to use temporary credentials to connect or run AWS CLI scripts, rather than actual access id/ secret key. We use aws-vault for that which also supports 2FA.

Adding to what @quaint-elephant-2032 said try to integrate with official accounts for eg. gsuite which makes it easy to manage over time to manage exits

Thank you very much guys. @quaint-elephant-2032 can you point me to some documentation on how to implement this. That'd be super useful.

@eager-plastic-76453 You can also look into https://www.boundaryproject.io

@lemon-knife-94497 Will check this out. Thank you.

can you point me to some documentation on how to implement this

Hi Akilesh, I followed the AWS documentation for this. https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started.html

Thank you @quaint-elephant-2032 Appreciate this.