EC2

AWS EC2 Best Practices

~ Last updated on : ~ jayendrapatil ~ 4 Comments

AWS EC2 Best Practices

AWS recommends the following best practices to get maximum benefit and satisfaction from EC2.

Security & Network

  • Manage access to AWS resources and APIs using identity federation with an identity provider and IAM roles whenever possible.
  • Implement the least permissive rules for the security group.
  • Regularly patch, update, and secure the operating system and applications on the instance. Use AWS Systems Manager Patch Manager to automate OS and application patching across EC2 fleets.
  • Use AWS Systems Manager Session Manager for secure shell access instead of opening SSH/RDP ports. Session Manager provides IAM-based access control, full audit logging via CloudTrail, and eliminates the need for bastion hosts or managing SSH keys.
  • Establish credential management policies and procedures for creating, distributing, rotating, and revoking AWS access credentials.
  • Use Amazon Inspector to automatically discover and scan EC2 instances for software vulnerabilities and unintended network exposure.
  • Use AWS Security Hub controls to monitor EC2 resources against security best practices and standards (e.g., EBS encryption enabled, IMDSv2 required, no public IPv4 addresses).
  • Enforce IMDSv2 (Instance Metadata Service Version 2) on all instances. IMDSv2 uses session-oriented requests with tokens, protecting against SSRF attacks. As of mid-2024, all newly released EC2 instance types use IMDSv2 only by default.
  • Encrypt EBS volumes and snapshots. Enable EBS encryption by default at the account level to ensure all newly created volumes are automatically encrypted using AWS KMS.
  • Set the time-to-live (TTL) value for applications to 255 for both IPv4 and IPv6. Using a smaller value risks TTL expiring while traffic is in transit, causing reachability issues.
  • Use the AWS Nitro System based instances which provide enhanced security through hardware-based isolation, encrypted memory (starting with Graviton2, AMD EPYC Milan, and Intel Ice Lake processors), and a minimized attack surface with no administrative access.

📝 Note: EC2-Classic was fully retired on August 15, 2023. All instances now launch into a VPC by default. Any references to EC2-Classic are historical only.

Storage

  • EC2 supports Instance store and EBS volumes. Understand the implications of the root device type for data persistence, backup, and recovery.
  • Use separate Amazon EBS volumes for the operating system (root device) versus the data.
  • Ensure that the data volume persists after instance termination by configuring the DeleteOnTermination attribute appropriately.
  • Use the instance store available for the instance to store only temporary data. Data stored in instance store is deleted when an instance is stopped, hibernated, or terminated.
  • If instance store is used for database storage, ensure a cluster with a replication factor that ensures fault tolerance.
  • Enable EBS encryption by default at the account/region level so all new volumes and snapshots are encrypted automatically.
  • Use appropriate EBS volume types based on workload requirements:
    • gp3 – General purpose SSD (baseline 3,000 IOPS, up to 16,000 IOPS)
    • io2 Block Express – High-performance SSD (up to 256,000 IOPS) for mission-critical workloads
    • st1/sc1 – HDD volumes for throughput-intensive or cold storage workloads

Resource Management

  • Use instance metadata and custom resource tags to track and identify AWS resources.
  • View current limits for Amazon EC2 using Service Quotas. Plan to request any limit increases in advance of the time needed.
  • Use AWS Trusted Advisor to inspect the AWS environment and get recommendations for saving money, improving system availability and performance, and closing security gaps.
  • Use AWS Compute Optimizer for right-sizing recommendations based on actual utilization metrics. It analyzes CPU, memory, network, and storage to recommend optimal instance types.
  • Consider AWS Graviton instances (Arm-based processors) for up to 40% better price-performance compared to x86 instances for compatible workloads.
  • Use Savings Plans or Reserved Instances for predictable workloads (up to 72% discount), and Spot Instances for fault-tolerant workloads (up to 90% discount).

Backup & Recovery

  • Regularly back up EBS volumes using Amazon EBS snapshots and create an Amazon Machine Image (AMI) from the instance to save the configuration as a template for launching future instances.
  • Use Amazon Data Lifecycle Manager (DLM) to automate the creation, retention, and deletion of EBS snapshots and EBS-backed AMIs on a schedule.
  • Use AWS Backup for centralized, policy-based backup management across EC2, EBS, and other AWS services with cross-account and cross-region capabilities.
  • Deploy critical components of the application across multiple Availability Zones, and replicate data appropriately.
  • Design applications to handle dynamic IP addressing when the instance restarts.
  • Monitor and respond to events using Amazon EventBridge and CloudWatch Alarms.
  • Implement failover:
    • For a basic solution, manually attach a network interface or Elastic IP address to a replacement instance.
    • For an automated solution, use Amazon EC2 Auto Scaling with health checks to automatically replace unhealthy instances.
    • For predictable traffic patterns, use Predictive Scaling to proactively scale capacity ahead of demand spikes.
  • Regularly test the process of recovering instances and EBS volumes to ensure data and services are restored successfully.
  • Use EC2 instance recovery with CloudWatch alarms to automatically recover instances when underlying hardware fails.

Networking

  • Set the time-to-live (TTL) value for applications to 255, for IPv4 and IPv6, to prevent TTL expiry during transit.
  • Be aware of connection tracking behavior on Nitro-based instances. Sixth-generation Nitro (Nitro V6) instances launched in June 2025 changed the default TCP connection tracking idle timeout from 432,000 seconds (5 days) to 350 seconds.
  • Use configurable idle timeouts for connection tracking to optimize conntrack allowance usage and reduce leaked connections.
  • Use Capacity Reservations for business-critical workloads to ensure EC2 capacity is available when needed, especially in multi-AZ deployments.

References

AWS Bastion Host – Secure SSH/RDP Access

~ Last updated on : ~ jayendrapatil ~ 16 Comments

Bastion Host Overview

📌 2025 Update: Modern Alternatives to Bastion Hosts

While bastion hosts remain a valid architecture pattern, AWS now offers several modern alternatives that eliminate the need for managing a dedicated jump server:

The AWS Quick Start for Linux Bastion was archived in October 2024 as part of the full AWS Quick Start program retirement.

  • Bastion means a structure for Fortification to protect things behind it
  • In AWS, a Bastion host (also referred to as a Jump server) can be used to securely access instances in the private subnets.
  • Bastion host launched in the Public subnets would act as a primary access point from the Internet and acts as a proxy to other instances.

Bastion Host

Key points

  • Bastion host is deployed in the Public subnet and acts as a proxy or a gateway between you and your instances
  • Bastion host is a security measure that helps to reduce attack on your infrastructure and you have to concentrate to hardening a single layer
  • Bastion host allows you to login to instances in the Private subnet securely without having to store the private keys on the Bastion host (using ssh-agent forwarding or RDP gateways)
  • Bastion host security can be further tightened to allow SSH/RDP access from specific trusted IPs or corporate IP ranges
  • Bastion host for your AWS infrastructure shouldn’t be used for any other purpose, as that could open unnecessary security holes
  • Security for all the Instances in the private subnet should be hardened to accept SSH/RDP connections only from the Bastion host
  • Deploy a Bastion host within each Availability Zone for HA, cause if the Bastion instance or the AZ hosting the Bastion server goes down the ability to connect to your private instances is lost completely

Modern Alternatives to Bastion Hosts

EC2 Instance Connect Endpoint (EIC Endpoint)

  • Launched in June 2023, EC2 Instance Connect Endpoint allows secure connectivity to instances in private subnets from the internet without requiring a bastion host
  • No IGW in the VPC, no public IP on the instance, and no agent installation required
  • Supports SSH and RDP connections using private IP addresses
  • Access is controlled through IAM policies and security groups
  • Available at no additional cost
  • One EIC Endpoint per VPC; supported in all AWS Regions except Canada West (Calgary)
  • Ideal for ad-hoc access to private instances without maintaining bastion infrastructure

AWS Systems Manager Session Manager

  • Provides secure, auditable instance management without opening inbound ports (no port 22/3389 needed)
  • No SSH keys to manage – access is controlled entirely through IAM policies
  • Requires SSM Agent installed on the instance (pre-installed on Amazon Linux 2, Amazon Linux 2023, and many other AMIs)
  • Provides full audit trail in AWS CloudTrail and session logging to S3/CloudWatch
  • Supports port forwarding for accessing applications on private instances
  • Works with instances in private subnets without internet access (via VPC endpoints)
  • Recommended by AWS as a bastion host replacement for operational access

AWS Verified Access

  • Provides secure, VPN-less access based on Zero Trust principles
  • Originally supported only HTTP/HTTPS applications (GA April 2023)
  • Non-HTTP protocol support (SSH, RDP, TCP) went GA in February 2025
  • Evaluates access based on user identity and device security posture on every request
  • Uses Cedar policy language for fine-grained access control
  • Integrates with identity providers (IdPs) and device trust providers (Jamf, CrowdStrike, etc.)
  • Achieved FedRAMP High and Moderate authorization (March 2025)
  • Ideal for enterprise environments requiring identity-aware, device-trust-based access

When to Still Use a Bastion Host

  • Legacy environments where SSM Agent cannot be installed
  • Compliance requirements mandating a traditional network perimeter
  • Environments needing specific protocol support not covered by alternatives
  • Third-party access where IAM-based solutions are not feasible
  • AWS certification exams still heavily test bastion host concepts

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. A customer is running a multi-tier web application farm in a virtual private cloud (VPC) that is not connected to their corporate network. They are connecting to the VPC over the Internet to manage all of their Amazon EC2 instances running in both the public and private subnets. They have only authorized the bastion-security-group with Microsoft Remote Desktop Protocol (RDP) access to the application instance security groups, but the company wants to further limit administrative access to all of the instances in the VPC. Which of the following Bastion deployment scenarios will meet this requirement?
    1. Deploy a Windows Bastion host on the corporate network that has RDP access to all instances in the VPC.
    2. Deploy a Windows Bastion host with an Elastic IP address in the public subnet and allow SSH access to the bastion from anywhere.
    3. Deploy a Windows Bastion host with an Elastic IP address in the private subnet, and restrict RDP access to the bastion from only the corporate public IP addresses.
    4. Deploy a Windows Bastion host with an auto-assigned Public IP address in the public subnet, and allow RDP access to the bastion from only the corporate public IP addresses.
  2. You are designing a system that has a Bastion host. This component needs to be highly available without human intervention. Which of the following approaches would you select?
    1. Run the bastion on two instances one in each AZ
    2. Run the bastion on an active Instance in one AZ and have an AMI ready to boot up in the event of failure
    3. Configure the bastion instance in an Auto Scaling group Specify the Auto Scaling group to include multiple AZs but have a min-size of 1 and max-size of 1
    4. Configure an ELB in front of the bastion instance
  3. You’ve been brought in as solutions architect to assist an enterprise customer with their migration of an ecommerce platform to Amazon Virtual Private Cloud (VPC) The previous architect has already deployed a 3- tier VPC. The configuration is as follows: VPC vpc-2f8t>C447
    IGW ig-2d8bc445
    NACL acl-2080c448
    Subnets and Route Tables:
    Web server’s subnet-258bc44d
    Application server’s subnet-248DC44c
    Database server’s subnet-9189c6f9
    Route Tables:
    rtb-2i8bc449
    rtb-238bc44b
    Associations:
    Subnet-258bc44d: rtb-2i8bc449
    Subnet-248DC44c: rtb-238bc44b
    Subnet-9189c6f9: rtb-238bc44b
    You are now ready to begin deploying EC2 instances into the VPC. Web servers must have direct access to the internet Application and database servers cannot have direct access to the internet. Which configuration below will allow you the ability to remotely administer your application and database servers, as well as allow these servers to retrieve updates from the Internet?

    1. Create a bastion and NAT Instance in subnet-258bc44d and add a route from rtb-238bc44b to subnet-258bc44d. (Route should point to the NAT)
    2. Add a route from rtb-238bc44b to igw-2d8bc445 and add a bastion and NAT instance within Subnet-248DC44c. (Adding IGW to routertb-238bc44b would expose the Application and Database server to internet. Bastion and NAT should be in public subnet)
    3. Create a Bastion and NAT Instance in subnet-258bc44d. Add a route from rtb-238bc44b to igw-2d8bc445. And a new NACL that allows access between subnet-258bc44d and subnet-248bc44c. (Route should point to NAT and not Internet Gateway else it would be internet accessible.)
    4. Create a Bastion and NAT instance in subnet-258bc44d and add a route from rtb-238bc44b to the NAT instance. (Bastion and NAT should be in the public subnet. As Web Server has direct access to Internet, the subnet subnet-258bc44d should be public and Route rtb-2i8bc449 pointing to IGW. Route rtb-238bc44b for private subnets should point to NAT for outgoing internet access)
  4. You are tasked with setting up a Linux bastion host for access to Amazon EC2 instances running in your VPC. Only clients connecting from the corporate external public IP address 72.34.51.100 should have SSH access to the host. Which option will meet the customer requirement?
    1. Security Group Inbound Rule: Protocol – TCP. Port Range – 22, Source 72.34.51.100/32
    2. Security Group Inbound Rule: Protocol – UDP, Port Range – 22, Source 72.34.51.100/32
    3. Network ACL Inbound Rule: Protocol – UDP, Port Range – 22, Source 72.34.51.100/32
    4. Network ACL Inbound Rule: Protocol – TCP, Port Range-22, Source 72.34.51.100/0
  5. A company needs to provide secure access to EC2 instances in private subnets without managing SSH keys or opening inbound ports. The solution must provide an audit trail of all sessions. Which AWS service should they use?
    1. Deploy a bastion host in a public subnet with an Auto Scaling group
    2. Use AWS Systems Manager Session Manager with IAM-based access control
    3. Use EC2 Instance Connect Endpoint with a public IP on the instances
    4. Configure a VPN connection from the corporate network
  6. A solutions architect needs to allow developers to connect via SSH to EC2 instances in a private subnet that has no internet gateway and no NAT gateway. The instances do not have public IP addresses. Which solution requires the LEAST operational overhead?
    1. Deploy a bastion host in a public subnet and configure security groups
    2. Set up an AWS Site-to-Site VPN connection
    3. Create an EC2 Instance Connect Endpoint in the VPC
    4. Configure AWS Direct Connect with a private virtual interface
  7. An enterprise wants to implement zero trust access to their internal applications and SSH-based administration of EC2 instances. Access should be granted based on user identity and device security posture without using a VPN or bastion host. Which AWS service meets these requirements?
    1. AWS Systems Manager Session Manager
    2. EC2 Instance Connect Endpoint
    3. AWS Verified Access
    4. AWS Client VPN
  8. Which of the following are valid modern alternatives to using a bastion host for accessing private EC2 instances? (Select THREE)
    1. AWS Systems Manager Session Manager
    2. Amazon Inspector
    3. EC2 Instance Connect Endpoint
    4. AWS Config
    5. AWS Verified Access with non-HTTP protocol support

Related Posts