Kill Your Bastions
I'm calling time on bastion servers. AWS' modern tools and identity based access make them obsolete in 2025.
Bastion servers have been a staple of cloud environments. It’s time to remove them. In late 2025 there is no need to run a bastion server in an AWS environment.
Origin of Bastions in Cloud
Before we had bastions, teams would open up SSH on most if not all of their servers to the internet. If an engineer's home internet used dynamic IP addresses, IP restrictions were skipped. It wasn't uncommon for a database server to sit out on the open internet with weak credentials.
Bastion servers provide greater control over access to the environment. The theory went that it was easier to use a single server as the choke point. There was only one set of firewall rules to manage. The bastion server often had full access to the resources in the cloud account.
Some teams got creative and implemented bastions on demand. These bastions provided stricter controls over inbound connections. Bastions on demand often still had full access to the environment.
Automated dynamic provisioning of network controls between hosts is rare. It takes significant engineering effort to get this right. Most teams skip it because leaving stuff open is easier.
Modern Access to Cloud Servers
Zero trust advocates moving away from trusting IP addresses. Instead the focus is on trusting identities. AWS IAM is built around identity trust. We can leverage this for implementing access controls in our environment.
Most bastions are jump boxes for allowing SSH connections to internal servers. AWS native tooling can replace these hosts. System Manager Session Manager provides connection to EC2 instances. Instead of travelling over the open internet, AWS builds a secure tunnel directly to the host. When configured properly, all commands executed are logged. Your security and compliance teams will thank you for implementing this.
These days a lot of workloads run in containers rather than on virtual machines. AWS has you covered here too. ECS Exec allows you to connect directly to a running container. Think of it as docker exec for the cloud. Recently AWS integrated ECS Exec into the console. Now it is one click to establish a connection via the web. ECS Exec, like Session Manager, supports command logging.
Both Session Manager and ECS Exec use IAM to manage access. Only users with the correct permissions can access the servers. If someone leaves the company, you don’t need to update firewall rules, delete SSH keys or anything else. Deactivate their account in your Identity Provider, job done. This removes their AWS access from Identity Centre and they’re locked out.
Databases
I can hear some of you thinking, "we still need bastions to access our database!" Ummm, no you don't. Meet the RDS Data API. The Data API is available for Amazon Aurora databases. It supports both provisioned and serverless v2 flavours. All queries can be logged to CloudTrail.
Enabling the Data API requires a Secrets Manager secret to store the credentials and a quick config change. Once enabled, the API is available via the Query Editor in the AWS Console, AWS CLI, any of the AWS SDKs, or even a Step Function.
What if you’re running a RDS instance with an open source database like MySQL, MariaDB or PostgreSQL? Migrate to the equivalent Aurora flavour. You will get a cloud optimised database engine and access to the Data API.
Most other databases available on AWS also offer Data APIs. These include:
- Graph database Neptune
- noSQL engine DyanmoDB
- Amazon Redshift data warehouse
- Time series database Timestream
All of these services, except Neptune, provide query editors in the AWS console.
Conclusion
There may still be some corner cases where you need a bastion servers. These should be the exception. Your starting point should be to avoid bastions. Look for alternatives and use them as the tool of last resort.
By removing bastions you improve your security posture. For each bastion decommissioned, you have several fewer moving parts to maintain. Make 2025 the last year you run bastion hosts.
Need Help?
Do you need some help implementing the ideas in this post? Get in touch! I am happy to help.
Like and Subscribe
Did you like this post? Please subscribe so you don't miss the next one. Do you know someone who would benefit from this article? Please share it with them.
Proactive Ops is produced on the unceeded territory of the Ngunnawal people. We acknowledge the Traditional Owners and pay respect to Elders past and present.