Bastion host could open you up to a single point of attack? It can, but here are two ways to secure your bastion host:
- AWS security WP recommends only allowing access through the corporate network(VPN access):
- This video talks about separate security credentials for bastion host:
- http://www.youtube.com/watch?v=XhYX06RmMHc&list=PLhr1KZpdzukcPA0A7h3FKDcMfKNPytXVf&feature=player_detailpage#t=837s (this could be a separate user name password or more likely another PEM/PPK private key file)
Having only one point of attack is way better then opening up more than one or all of your EC2 instances for port 22 (SSH..assuming Linux) to 0.0.0.0/0 CIDR block.