Jumphosts are useful for securely accessing hosts on private networks or individually secured network segments - however, AWS and Azure are offering such services as platform services (PaaS) where the responsibility for managing the underlying infrastructure remains with the Cloud vendor, allowing customers to further reduce their IaaS footprint. This document includes some details about (and an attempted comparison between) the different offerings. Note that this is not an exhaustive description, there may be errors and/or some details may be missing or have changed in the meantime. Review the official documentation for full and up-to-date details - some links are provided in the References section.
| # | Hyperscaler | Offering |
|---|---|---|
| 1 | GCP | GCP does not seem to have an offering for a managed Bastion Server. Steps for creating a Bastion host for the Google Cloud Platform are outlined here |
| 2 | AWS | AWS Systems Manager Session Manager |
| 3 | Azure | Azure Bastion |
AWS Session Manager is part of the AWS Systems Manager eco system, which is an end-to-end management solution for hybrid cloud environmens. Session Manager is part of its Node Management features.
AWS Systems Manager provides a browser-based interactive shell, CLI and browser based remote desktop access for managing instances on your cloud, or on-premises and edge devices, without the need to open inbound ports, manage Secure Shell (SSH) keys, or use bastion hosts. Administrators can grant and revoke access to instances through a central location by using AWS Identity and Access Management (IAM) policies. This allows you to control which users can access each instance, including the option to provide non-root access to specified users. Once access is provided, you can audit which user accessed an instance and log each command to Amazon Simple Storage Service (S3) or Amazon CloudWatch Logs using AWS CloudTrail.
— Amazon Web Services [5]
For full details, please see the Session Manager Prerequisites outlined in the AWS documentation.
- Session Manager supports all operating system versions that are supported by AWS Systems Manager.
- Requires an agent to be deployed on the managed nodes (AWS Systems Manager SSM Agent version 2.3.68.0 or later; for encrypted sessions 2.3.539.0 or later)
- A session user with root / Administrator permissions is automatically created (
ssm-user). - HTTPS outbound traffic to specific AWS endpoints is required for all managed nodes (unless AWS PrivateLink is used).
- When using Session Manager to connect to non-EC2 nodes, the advanced-instances tier must be activated. This incurs additional charges.
"AWS Systems Manager Session Manager allows you to centrally grant and revoke user access to managed nodes." [9] AWS IAM policies are used to control access to the managed nodes and control access over the Session Manager API. AWS provides a set of sample policies for Session Manager.
AWS Systems Manager Session Manager is shipped with the following configurable session preferences:
- Specify session timeouts between 1 and 60 minutes of inactivity. The AWS documentation suggests that a session timeout of 15 minutes as a maximum is recommended by some professional computing security agencies. [12]
- Specify maximum session duration between 1 and 1,440 minutes.
- Configurable shell profiles.
- Run-as support for Linux and macOS managed nodes (and not use the default, system-generated
ssm-usercredentials). - Encryption of session data between managed nodes and the local machines of users. This requires AWS KMS and is in addition to TLS 1.2.
- Restrict access to commands in a session. Through AWS Systems Manager Documents, it is possible to restrict which commands a user can run on which managed nodes.
- AWS PrivateLink is supported by AWS Session Manager. [14]
- Session Manager can act as a tunnel for SSH and RDP connections (through AWS CLI).
- Sessions can be audited using AWS CloudTrail. [15]
- Session data can be streamed/logged to CloudWatch Logs or logged directly into an S3 bucket. [16]
Alternatively, in order to establish RDP connections directly from the browser, AWS Systems Manager Fleet Manager is required, however, there are limitations to be aware of - such as specific timeouts and a maximum of 25 concurrent RDP connections per region and account [17].
The AWS Systems Manager Pricing documentation does not indicate additional charges for accessing Amazon EC2 instances through AWS Systems Manager Session Manager. However, network egress traffic will incur costs.
Furthermore, when Session Manager is used in hybrid scenarios to access on-premises VMs (or, generally, non-EC2 instances), then the advanced on-premises instance tier is required, which will incur additional costs as well.
Azure Bastion is a service you deploy that lets you connect to a virtual machine using your browser and the Azure portal, or via the native SSH or RDP client already installed on your local computer. The Azure Bastion service is a fully platform-managed PaaS service that you provision inside your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal over TLS. When you connect via Azure Bastion, your virtual machines don't need a public IP address, agent, or special client software.
— Microsoft [3]
- Azure Bastion requires a dedicated /26 subnet.
- Destination VMs need to allow the following inbound ports from the Azure Bastion Subnet:
- 3389 for Windows VMs
- 22 for Linux VMs
- Web browsers must support HTML 5.
Azure Bastion lives in its own, dedicated subnet. There is no NSG required on the Bastion subnet, however, subnets that include workload VMs that should be accessed through Azure Bastion need to have incoming RDP or SSH traffic from th Azure Bastion Subnet allowed.
From a permissions point of view, there are two levels involved. Azure RBAC and the operating system.
Users who use Azure Bastion to access a VM need to hold or (if Azure PIM is used) be eligible for the following roles:
- Reader role on the virtual machine.
- Reader role on the NIC with private IP of the virtual machine.
- Reader role on the Azure Bastion resource.
- Reader Role on the virtual network of the target virtual machine (if the Bastion deployment is in a peered virtual network).
On OS-level, users need to be in the Remote Desktop Users group in order to be able to login to the VM.
Azure Bastion comes with two different SKUs.
- RDP and SSH through the Azure portal over TLS
- Kerberos authentication
- VM audio output
- Shareable link (only Standard SKU)
- Connect to VMs using a native client (only Standard SKU)
- Host scaling (only Standard SKU)
- Upload or download files (only Standard SKU)
- Disable copy/paste (for web-based clients) (only Standard SKU)
- 2 Instances (Basic SKU); up to 50 instances (Standard SKU)
Charges are based on a combination of the componets below. See the Azure Bastion Pricing documentation for more details.
- Hourly pricing based on SKU and amount of instances.
- Outbound data transfer
| Criteria | Jump Host | AWS Systems Manager Session Manager | Azure Bastion |
|---|---|---|---|
| Service Model | IaaS | PaaS | PaaS |
| Exposure | Internal or External | External | External |
| Pricing | Charges apply for Compute, Storage and Network Traffic | Network egress traffic is charged as well as access to non-EC2 nodes (advanced access tiers). | Charged on an hourly basis per instance and for network egress traffic |
| Can be accessed through Private Endpoints? | not required | Yes (AWS PrivateLink) | No |
| Subnet Requirements | Minimum /29 | None (unless AWS PrivateLink is used) | Minimum /26 |
| Network Access Requirements | Allow Inbound RDP/SSH traffic from client network | None | Allow Inbound RDP/SSH traffic from Azure Bastion Subnet |
| UDR Support | Yes | n/a | No |
| Agent required | No | Yes | No |
| Authentication Requirements | Azure RBAC:
|
AWS IAM:
|
Azure RBAC:
|
| Connection Limits | 2 RDP Connections (unless Terminal Services are deployed and RDS licenses are used) | None | Each instance can support 25 concurrent RDP connections and 50 concurrent SSH connections for medium workloads |
| Logging | OS-level Logging | Session Logs & Session Activity (except for Port Forwarding/RDP) | Activity Logs |
| Usage | SSH / RDP Cients |
|
|