When using AWS to run EC2 instances in a private subnet, one big question arises: How do you securely access these instances? Traditionally, the answer has been a bastion server—an EC2 instance set up specifically to act as a secure gateway between your private EC2 instances and the outside world. But today, AWS offers a better option with AWS Systems Manager (SSM). Not only is SSM easier to use, but it’s also much more cost-effective.
In this post, we’ll compare these two methods—bastion server vs. SSM—and explain why SSM is often the cheaper and better solution for accessing private EC2 instances.
What is a Bastion Server?
A bastion server (also called a "jump box") is an EC2 instance that acts as a middleman. When you want to access private EC2 instances, you first connect to the bastion server, and from there, you access the private EC2 instances using SSH or Remote Desktop Protocol (RDP).
How It Works:
- Launch an EC2 instance in the public subnet of your VPC and install SSH or RDP.
- Connect to the bastion server using your local machine.
- Access your private EC2 instances from the bastion server using internal IP addresses.
While this method works, there are some downsides:
- Costs: You’re paying to keep the bastion server running, even if you’re not using it.
- Maintenance: You need to maintain, secure, and patch the server.
- Security Risk: Opening SSH or RDP ports to the internet can be a security risk.
What is AWS Systems Manager (SSM)?
AWS Systems Manager (SSM) provides a secure way to manage your EC2 instances without needing SSH or RDP. It uses Session Manager, which allows you to open a terminal session to your EC2 instances directly from the AWS Console or the AWS CLI, with no need for an open SSH port.
How It Works:
-
Enable SSM: The SSM agent is pre-installed on most EC2 AMIs (like Amazon Linux and Ubuntu). Ensure your instance has the required permissions (attach the
AmazonSSMManagedInstanceCoreIAM role). - Access EC2 Instances: Use the Session Manager in the AWS Console or AWS CLI to connect to the instance. You don’t need to open SSH or RDP ports.
- Optional Logging: You can log session activity to Amazon S3 or CloudWatch for auditing.
Benefits:
- No need for a bastion server: No EC2 instance is required.
- No open ports: It’s more secure as there are no exposed SSH or RDP ports.
- Lower maintenance: SSM is managed by AWS, so there’s no need to patch or maintain an extra server.
Cost Comparison: Bastion Server vs. SSM
1. Bastion Server Costs:
- EC2 Instance (t3.micro): ~$8.25 per month (on-demand pricing, US East).
- Elastic IP (if required): ~$3.60 per month (if the instance is stopped).
- Maintenance Costs: Ongoing effort to maintain and secure the instance.
Total: ~$12–$20 per month depending on instance uptime and configuration.
2. SSM Costs:
- SSM Service: Free to use.
- VPC Endpoints (if needed): If your EC2 instance is in a private subnet with no internet, you’ll need VPC endpoints for SSM, which costs around $5–$10 per month.
- S3 or CloudWatch Logs (Optional): If you log session activity, it costs ~$0.023 per GB for S3 storage or $0.50 per GB for CloudWatch Logs.
Total: ~$5–$10 per month, depending on optional logging and VPC endpoint usage.
Conclusion: SSM is More Cost-Effective
Using SSM is not only more secure (since no ports are exposed), but it’s also cheaper. You avoid paying for a separate EC2 instance and can control access to your private EC2 instances directly from the AWS Console or CLI. The costs for logging or VPC endpoints are minimal compared to running a bastion server, making SSM the more cost-effective solution for most users.
Summary of Monthly Costs:
| Cost Factor | Bastion Server | SSM (No Bastion) |
|---|---|---|
| EC2 instance (t3.micro) | ~$8.25 per month | None |
| Elastic IP (if applicable) | ~$3.60 per month | None |
| VPC Endpoints (optional) | Not required | ~$5–$10 per month (if private subnet) |
| S3/CloudWatch Logging | Not applicable | ~$0.023/GB for S3, $0.50/GB for CloudWatch |
| Maintenance | High (patching, securing SSH keys, etc.) | Low (handled by AWS) |
| Total Estimated Cost | ~$12–$20 per month | ~$5–$10 per month (depending on logging) |
Final Thoughts
For users who need to securely access private EC2 instances, AWS SSM offers a simpler, more cost-effective, and more secure solution compared to setting up a bastion server. Not only does SSM eliminate the need to maintain an extra server, but it also reduces the overall security risks by removing the need to open any SSH or RDP ports.
If you’re looking to reduce your AWS costs and simplify your infrastructure, consider switching to SSM for your EC2 access needs.
Let me know your thoughts in the comments, and if you’re already using SSM or bastion servers in your setup!
Top comments (0)