My work has given me a remote windows desktop to use, that I access using AWS.
Through this windows desktop (accessed via a chrome web-browser), I can SSH into a compute node to do work.
I dont actually need this virtual desktop, I’d rather just SSH from my local machine directly to the compute node, using the remote desktop’s network without having to spawn the desktop itself.
Ive been reading up about SSM agents[0] as a solution, but am unsure if I have the priveledges to do this myself.
Is this something I can easily do using the AWS credentials that I have?
If they require you to use the bastion, then trying to avoid it is probably a bad idea.
If the bastion is running an ssh server, you can jump through it with ssh pass through (using -J).
SSM provides session manager which allows you to skip having a bastion altogether- it basically lets you start an “ssh” session to a private instance without opening ports or networking using aws creds. This requires that you have access permissions to do this and that ssm is enabled.
But… if the reason you are using the bastion is so that they can inspect the traffic, then they’re not gonna let you bypass it via ssm because that also bypasses the managed networking.
Maybe ask your work before you get fired?
I have, but the IT dept either willfully misinterprets my request, or does not actually know. No judgement from my side, as I am also uncertain.
My plan is to find a solution that complies with their security standards (i.e. through AWS’s authentication spec), but allows me a VPN/SSH style passthrough.
Maybe ask them to provide you with a Linux cli only bastion? Then you’ve got a lot of options, it costs almost nothing, and it’s even better security wise.
My plan is to find a solution that complies with their security standards (i.e. through AWS’s authentication spec)
I think SSO is your best bet, if you use identity center.
Most likely using workspaces and the reason for it is to stop the very thing they are trying to do to keep data from directly leaking out of their network. If they had a Linux desktop workspace if they opened the ssh port on the workspace Eni you could do that but that would send up all kinds of security alerts.
I’m not sure what you use by workspaces, I haven’t touched windows in a while.
Wouldn’t a bastion with SSO do the same thing? In both cases OP needs to pass AWS based security checks in order to ssh from the bastion instance. And both options can be locked down by enterprise standards.
Workspaces is an AWS service that creates desktops that can be used via a workspace client or through the web browser like guacamole project. It’s main feature is the data stays in AWS not on local hardware.
It depends on how the network is setup, I suppose. I don’t know how AWS does things, but I would imagine that the Windows Desktop is set to be on the same network/subnet as the compute node you ssh into. Else the node would be accessible by anyone on the internet for brute forcing.
The way I reason it, the Windows Desktop that AWS spawns in done on a Linux-based VM in the cloud. AWS then creates a VPN to the workplace to make it seem like it shares the same subnet as the compute nodes. I think that’s how this works.
If so, I’m wondering if I can just SSH either into that VM without spawning the desktop and access the VPN that way, or if AWS itself offers some kind of service that extends the VPN directly to me.
I should stress that I’m not asking for creative solutions, I’m only wondering if this is a common use-case that easily catered for and I just need to RTFM better
https://github.com/cea-hpc/sshproxy
Maybe? I saw a presentation from the dev, not sure if it will run on windows though
