Skip to content
Jump to bottom

wip #298

Draft
wants to merge 2 commits into
base: master
Choose a base branch
from
Draft

wip #298

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5d7828b
add folder in location
morga471 Jul 22, 2024
401e3db
updates
morga471 Jul 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
63 changes: 63 additions & 0 deletions aws/proposals/iebcloud-jump-host/iebcloud-jump-hosts.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
# AWS Cloud Jump Host - Bastion Server

This document is to cover the use case and purpose of CSVD's use of Jump Hosts.

<!-- add additional information here -->

Things to consider:
- multi-user access
- runs terraform/support repo tools
- should be used for application container development? (currently blocked by sudoers/and something else asking for UID/GID)
- runs aws cli for interaction with all environemnts
- if we had linux we could use AWS Workspaces?
- eks cluster with pod per user?, shared efs mount for data?
- ???



# Why

<!-- describe the reasoning behind this setup, what the applijcaiton will do with these things, etc -->

# What

<!-- describe what this will be doing. For example, we need an IAM policy and an IAM role with that policy,
distributed to each account. A central AWS account (list details) will use an instance role
and is able to assume the created role in every account. etc. -->

# Where

<!-- describe where this setup needs to be executed. We have multiple AWS organizations: ent-ew (commercial),
ent-gov (primary one), and lab-gov (not addressed here, nor visable from the ent-gov). We will need to
accomodate all of them. Also separate stuff that runs in the morpheus account(s) and stuff in target accounts -->

# When

<!-- list notional dates for when this sort of thing is needed -->

# Who

<!-- describe the user base, where they access from, how frequently it is used, how the users access it, etc. -->

# How

<!-- describe technical detail, as needed, how one implements in TF or whatever. Some of this will be split out
into stacksets in another account. Provide a diagram if you have one, clean with simple boxes and arrows. -->

<!-- add other sections which seem to make sense -->

# Links

AWS provides some resources for problems of this shape to consider:

1. https://aws.amazon.com/solutions/implementations/linux-bastion/
1. https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/access-a-bastion-host-by-using-session-manager-and-amazon-ec2-instance-connect.html
1. https://aws.amazon.com/blogs/containers/scale-to-15000-tasks-in-a-single-amazon-elastic-container-service-ecs-cluster/
1. https://elasticscale.com/get-a-cheap-vpn-into-your-aws-vpc-and-worldwide-performance-improvement-through-cloudflare-tunnels/
1. https://aws.amazon.com/blogs/desktop-and-application-streaming/use-elastic-fleets-and-linux-for-inexpensive-secure-bastion-hosts-in-amazon-appstream-2-0/


# CHANGELOG

* 0.0.1 -- 2024.07.22
- wip