[Q] Why Bastion has role?

[ozjongwon]

Thanks for sharing great templates! I could get a good amount of knowledge of AWS architecture through these.

Thanks!

-- J

Request

• Bug
• New Feature
• Refactor
• Question
• Documentation
• Tests
• Other

Details

• Could you explain why bastion template has an IAM Role? I think I don't need any role at all because it is just a host to jump to private servers.

[KeenanLawrence]

For others that may stumble across this:

There's not actual definition of a Bastion host. However, this is (at least) a server in a DMZ. One of the functions could be a "jump box" which typically accepts SSH connections.

There are many reasons that the Bastion host might have a role associated to it. One of them may be to add authorised public keys using IAM .
Another might be to trigger an SNS/SES notification for OSSEC alerts.

Probably one of the most important would be to allow SSM to run automation against this host (updates, patches, config, audits, etc). However, this might not be your preferred method.

Regardless, you get the point.

---

For smaller companies/startups, the Bastion might even double as a lightweight scheduler that executes tasks and uploads results/files to S3. There may be many uses for the Bastion in these contexts and will ultimately come down to compromise (It Depends™)

@stelligent, brilliant repository! Thank you!