This secure solution I introduced to one of the largest financial institution in US to access their linux vm from private / restricted subnets. It's the best practice to host critical infrastructure in restricted subnets.
Requirement was must not open known firewall / security group port open for bastion host.
Prerequisites
For this post, I used MacOS version 12.5.1 workstation
Install AWS Command Line Interface (AWS CLI tool) to your workstation.
Install AWS Session Manager Plugin to your workstation.
Create Custom IAM role for Session Manager, for this post I am not using KMS key and S3 bucket configuration.
For this demo I created new AWS Identity and Access manager (IAM) user with programmatic access to AWS Account.
For this demo I already created Linux vm in private / restricted subnet.
Solution Overview
I created a new Amazon Elastic Compute Cloud EC2 security group with no single port open at inbound rules. Then lunched new Window instance at public subnet and attached above step #3 IAM role and no port opened security group. If require see below for detail step for lunching basing host. See below screenshot for example
Above Linux and Windows bastion host must be in same AWS Virtual Private Cloud (Amazon VPC). On Linux instance security group inbound rule you can update with Windows bastion host private ip address that way no other host from same vpc can connect. No IAM role need to attach to Linux vm or open for the whole vpc cidr. See below sample screenshot. 
Here are detail steps for provision bastion host (for this demo/blog)
On the Amazon EC2 console, choose the Windows 2019 base image
Choose the t2.micro instance class
For Subnet, choose a public subnet with auto assign ip but not going to use dns/public ip address
For IAM role choose the IAM role created above
Choose Review and Launch.
Before create remote session better to verify AWS CLI and SSM plugin on your workstation.
Here are commands and sample output.
AWS CLI Version
Command: aws --version
Sample output: aws-cli/2.4.5 Python/3.8.8 Darwin/21.6.0 exe/x86_64 prompt/off
AWS Session Manager Plugin Verification
Command: session-manager-plugin
Sample output: The Session Manager plugin was installed successfully. Use the AWS CLI to start a session.
AWS Session Manager Version
Command: session-manager-plugin --version
Output: 1.2.339.0 (latest version for now)
Create a remote RDP port forwarding session
In this session, I created a port forwarding session to remote host using AWS Systems Manager and connecting to RDP instance.
Store AWS Credential file using AWS Configure command. You can view detail how to setup at https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html
Create a Systems Manager Session to RDP/bastion host
aws ssm start-session
--target <your bastion instance id>
--document-name AWS-StartPortForwardingSession `
--parameters portNumber="3389",localPortNumber="13389"
You should see something similar like this
Starting session with SessionId: demo-0ec9fd2af3cce14fd
Port 13389 opened for sessionId demo-0ec9fd2af3cce14fd.
Waiting for connections...
Leave that session open and use Microsoft Remote Desktop to connect to RDP instance.. with hostname as localhost:13389 and enter user name and password. Do not use RDP DNS nor public IP address to connect.
On my solution I configured SSH Agent forwarding on RDP/bastion host. You should never store aws key pair in bastion host. I followed this blog "Secure Connect to Linux Instances Running in a Private Amazon VPC" to setup SSH Agent forwarding.
Conclusion
Using my securely connect to bastion host with SSM port forwarding and ssh agent forwarding methods we are supporting securely servers at Private VPC. Here is high level digram.
Here is my short video about this securely access rdp server solution .
Thank you!!
Top comments (0)