Bastion Host vs Session Manager vs AWS AppStream



Looking for a secure way to use SSH Tunnel, then RDP through local hosts. We have several options to accomplish this : Bastion Host or SM Session Manager or AWS AppStream.

From the 3 options is there aclear recommendation and best approach for SSH , RDP ?


asked 4 years ago1663 views
1 Answer
Accepted Answer

AppStream 2.0 is a fully managed non-persistent application streaming service, so there's no instances to manage, no VPN or internet-facing endpoint for the customer to manage, and no bridging of networks. AppStream 2.0 supports SAML federation simplifying the entitlements and discovery process of the bastion host. AppStream 2.0 is primarily HTML5, so the end user doesn't need to install any clients, and can use the device of their choice. The customer can build an image with whatever software they want, and quickly spin up as many bastion host instances as they need - and each user gets their own instance, so no noisy or nosy neighbor problems exist. A customer uses AppStream 2.0 as their bastion host provider for their development environments. AppStream 2.0 also enables customers to configure admin control policies that prevent users from downloading data, or copying data out of the environment. However, like the other managed services, this may be overkill for smaller scenarios.

A bastion host instance requires the customer to manage its lifecycle, and bridges two networks, adding an element the customer has to manage closely. They are simple, quick to spin up, but can be difficult to scale, depending on the number of users that need to use it.

SSM Session Manager seems to be mostly CLI-based access to instances (though I'm not an expert) - if a GUI is required, Session Manager Port Forward seems to be a good option, but you lose the ability to control the endpoint beyond what RDP supports. With a bastion host or an AppStream 2.0 instance, you're able to control the "gateway" middle boundary.

Overall, there's no one size fits all, and it really depends on what the user experience and security requirements are. Depending on the requirements, the recommendation can change wildly (even to a fully persistent environment such as WorkSpaces)

answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions