| HN Mirror

If his AWS instance is running internet facing applications and services, then it makes sense to have the AWS firewall lock down port 22 to a single IP or two (eg your bastions), and also have that AWS firewall only allow all access to those specific internet facing ports for any relevant applications. Yes you can and should also harden at the OS level. But it’s smart to utilize AWS’ security as well as much as possible on any instance that you need to be in production and available. You want to limit it’s exposure in any way you can.

So back to the bastion. You have the bastion open to all IPs for port 22 because you want to be able to connect to it from anywhere. Yes you also of course lock it down and use best practice sshd config measures. But you only have ssh running and you use keys with passphrase for your outbound ssh connections for increased security. You keep it updated.

Your bastion will not be as locked down as your AWS instance though because it won’t have that AWS security in front of it, but you’re not concerned that much about your bastion, because it only has ssh listening, and you’ve disabled root ssh and password login, you keep it regularly updated, and the only thing you ever do with it is ssh to it and then ssh again to your important endpoints using a key WITH a passphrase.

Your AWS instance is your primary concern and is the important thing that you care about the most here. So you put the most protection in front of that in front of key services. Like OP said, ssh to the AWS instance sort of becomes “internal” so to speak, as you can only come in from the bastion with a key and passphrase.