Use AWS Windows instance as an SSH proxy?
-
[email protected]replied to [email protected] last edited by
They could also just be spawning Windows VMs directly in AWS, no point doing nested virtualization for something like this. Pretty sure they have a service for doing exactly what you described. No need for a VPN, it can spawn your VM on the right network already (they call it VPC). They can even put real GPUs for AutoCAD and stuff on those things.
-
[email protected]replied to [email protected] last edited by
Maybe ask them to provide you with a Linux cli only bastion? Then you've got a lot of options, it costs almost nothing, and even better security wise.
My plan is to find a solution that complies with their security standards (i.e. through AWS's authentication spec)
I think SSO is your best bet, if you use identity center.
-
[email protected]replied to [email protected] last edited by
If they require you to use the bastion, then trying to avoid it is probably a bad idea.
If the bastion is running an ssh server, you can jump through it with ssh pass through (using -J).
SSM provides session manager which allows you to skip having a bastion altogether- it basically lets you start an “ssh” session to a private instance without opening ports or networking using aws creds. This requires that you have access permissions to do this and that ssm is enabled.
But… if the reason you are using the bastion is so that they can inspect the traffic, then they’re not gonna let you bypass it via ssm because that also bypasses the managed networking.
-
[email protected]replied to [email protected] last edited by
Yeah the browser seems to be what I'm resigned to. In terms of security, there isn't really much stopping me from spawning an reverse SSH proxy to a public server from within the desktop, and then connecting to that....
If I wanted to wreac havok, my user would still need to be in the right access groups to do anything. I feel that cutting out the middleman and letting me connect directly to the bastion would be easier for everyone...
-
[email protected]replied to [email protected] last edited by
Except that the idea is that you cannot get data in or out of the corporate network. Depending on how it's implemented will determine how successful that is.
Regardless, you're likely to lose your job if it's detected without written permission and even then it's likely to turn into a security pissing match.
-
[email protected]replied to [email protected] last edited by
Most likely using workspaces and the reason for it is to stop the very thing they are trying to do to keep data from directly leaking out of their network. If they had a Linux desktop workspace if they opened the ssh port on the workspace Eni you could do that but that would send up all kinds of security alerts.
-
[email protected]replied to [email protected] last edited by
You can always connect to yourself from the Windows machine and tunnel SSH over that, but it’s likely you’ll hit a firewall or possibly even a TLS MitM box.
I don't want to undermine their security. I could do a reverse proxy of course, I was just wondering if AWS itself had a solution here
-
[email protected]replied to [email protected] last edited by
In the scenario I have, the browser clipboard literally lets me copy files to my laptop using Ctrl+C and Ctrl+V. I do hear your wider point though
-
[email protected]replied to [email protected] last edited by
I'm not sure what you use by workspaces, I haven't touched windows in a while.
Wouldn't a bastion with SSO do the same thing? In both cases OP needs to pass AWS based security checks in order to ssh from the bastion instance. And both options can be locked down by enterprise standards.
-
[email protected]replied to [email protected] last edited by
Workspaces is an AWS service that creates desktops that can be used via a workspace client or through the web browser like guacamole project. It's main feature is the data stays in AWS not on local hardware.