Ask HN: Is the Bastion Host Security Pattern Outdated?
Following on to this article:
http://programming.oreilly.com/2014/01/is-the-jump-box-obsolete.html?cmp=tw-prog-na-article-pr_is_the_jump_box_obsolete
The article proposes that the Jump Box / Bastion Host pattern is obsolete for many cloud deployments. I've been using a 'bastion host' pattern to access Amazon VPCs - and while the security / IP infrastructure is somewhat simpler to maintain, there really is no way to audit user access; the AWS EC2 private key infrastructure and bastion host pattern pretty much ensure every user runs as 'root'.
Are there better alternative for AWS (or other IaaS services in general) than the bastion host pattern? Well, that article was written by the head of this company https://www.jumpcloud.com/about/ that sells an SaaS solution that builds on Chef and Puppet. More generally speaking, each DevOps framework has its own integrated solution for user account provisioning / security.
Also see: 13 Practical and Tactical Cloud Security Controls in EC2
http://www.tuicool.com/articles/NbIz6z