reconcile bastion host template with aws-quickstart/quickstart-linux-bastion

[wjordan]

A CloudFormation template to create a bastion host has been previously published at aws-quickstart/quickstart-linux-bastion.

The Startup Kit template in this project and the older Quick Start template offer different implementations of the same type of solution, leading to some confusion as to which of the two solutions is the approach recommended by AWS, or if both are still current, what are the strengths/drawbacks or recommended use-cases for each.

Would it be possible to reconcile the two bastion-host templates, whether this involves deprecating one in favor of the other, or merging the features of both into a single unified and well-maintained solution?

I'm wondering if a direct comparison can be made between them, and which approach is more secure, maintainable and/or battle-tested than the other.

(Note that I've opened a parallel issue in the other project at aws-quickstart/quickstart-linux-bastion#36, and I reported a previous duplicate CloudFormation template in aws-quickstart/quickstart-linux-bastion#1 - so this is the third distinct bastion-host CloudFormation template AWS has published that I'm aware of.)

[rnzsgh]

Greetings,

Thanks for the request. Specifically, what functionality would you like to see in the bastion host template? This template includes support for MFA and CloudWatch alarms which seems like they would be nice features for the quickstart. We also have Systems Manager support on our roadmap.

Thanks,

Ryan

[wjordan]

This issue isn't concerning specific functionality missing from this or the other template, or their respective roadmaps. The issue is concerning two competing AWS-maintained projects doing the same thing, which causes confusion.

Specifically - as an AWS customer potentially interested in deploying a bastion host for my infrastructure according to AWS best practices, I no longer confidently know what that 'best practice' is, since AWS has now published two independent separate templates solving the same exact problem. This is a documentation/marketing/organizational issue, not a technical one.

To resolve this issue, either one or the other template needs to be deprecated in favor of the other and marked as the current AWS best practice, or clearer documentation needs to be added to both projects referencing the other alternative project, and indicating which use-cases are better supported by each.

[rnzsgh]

Hi Will,

Thanks for the feedback. We will discuss internally. Due to the embedded nature of the bastion host in startup kit, it would be somewhat difficult for us to use a generic replacement (i.e., it is tied to specific security groups and dependent upon the VPC stack shipped with Startup Kit), but it is definitely something that we will research. In the meantime, if the Quick Start bastion host better fits your use case, I would recommend using that project.

Ryan