Skip to main content
Follow these steps to configure an AWS bastion server to accept an SSH connection from our service.

Prerequisites

  • A public SSH key to add to the bastion machine to authenticate the SSH connection. Ask your contact at our service if they have not already provided one to you.
1

Provision a bastion server

If using SSH tunneling to connect to a destination database, we recommend using a standalone bastion server. This step will walk through provisioning the standalone bastion server. If using an existing server, skip to step 2.
  1. Navigate to the EC2 Instances page, and click Launch instances.
  1. Select an image. We recommend a default Amazon Linux image, such as the 64-bit (x86) Amazon Linux 2 AMI (the default option).
  1. Select a type. We recommend the t3.nano. Because this bastion server will be used exclusively for SSH tunneling, Network Performance is the primary consideration. The t3.nano default configuration comes with Network Performance of up to 5 Gigabit, as well as minimal Memory (1 GiB), vCPUs (2) and Storage (8 GB SSD) for about $5/mo depending on region and market rates.
  1. Click Review and launch. Consider modifying the default security group according to your security policies to enable configuration (e.g., creating the SSH user in Step 2). Click Launch. We will further modify the default security group in Step 2. (The remaining default options are sufficient.)
2

Configure the server

Allow SSH port access

In the AWS console, complete the steps below
  1. Navigate to the EC2 Instances page, and click the instance ID of the server to be used as the bastion host.
  1. In the Security tab, click the link to one of the security groups. (E.g., the default security group). Make note of this security group, as you will need to allow inbound access to your destination DB as part of Step 3.
  1. In the Inbound rules tab, click “Edit inbound rules”.
  1. Click Add rule. Add an inbound rule of type SSH and whitelist our static IP. Optionally, add a description. For the correct IP, refer to the IPs section of the docs. _ Note: you will not be able to SSH into this machine to configure the SSH user unless you also whitelist your machine’s IP in the inbound rules. Consider temporarily adding that IP to facilitate the next step._

Create the SSH user

Login to the bastion server and complete the steps below.
  1. Create group <ssh_group>:
Create group
sudo groupadd <ssh_group>
  1. Create user <ssh_user>:
Create user
sudo useradd -m -g <ssh_group> <ssh_user>
  1. Switch to the SSH user:
Switch to SSH user
sudo su - <ssh_user>
  1. Create the .ssh directory:
Create .ssh directory
mkdir ~/.ssh
  1. Set permissions:
Set directory permissions
chmod 700 ~/.ssh
  1. Navigate to the .ssh directory:
Navigate to .ssh directory
cd ~/.ssh
  1. Create the authorized_keys file:
Create authorized_keys file
touch authorized_keys
  1. Set permissions:
Set file permissions
chmod 600 authorized_keys
  1. Add the public key to the authorized_keys file. The key, including the “ssh-key” and comment, should be all on one line in the file, without linebreaks.
Add public key
echo "<provided_ssh_public_key>" > authorized_keys
3

Grant DB access to the bastion server

  1. Within the Inbound rules of the database security group, click Add rule. Add the security group noted in Step 2, and click Save rules.