With this addition, you can optionally add MFA to your bastion host and it will setup/configure the google-authenticator PAM module. When you SSH for the first time into the EC2 instance, it provides you with the one-time password information and will log you out after the initialization for your user is complete. The next time you SSH to the instance, with your username, private key pair, you will be prompted to enter a time-based one-time password generated in an app like Google Authenticator, 1Password, Authy, etc.
I manually verified the SSH connectivity from the bastion host into an EC2 instance launched in the public subnet created from the startup-kits template, instances launched in private subnets of two availability zones created from the startup-kits template, and the connection to a database in a private subnet created from the startup-kits template. The security group of the EC2 instances launched is AppSecurityGroup (created from the vpc.cfn.yml of startup-kit template).
I also tested triggering alarms for more than three invalid users trying to SSH into the bastion host in less than a minute, and more than 15 closed connections received in 5 minutes caused by the use of bad private key pair or invalid usernames.
With this addition, you can optionally add MFA to your bastion host and it will setup/configure the google-authenticator PAM module. When you SSH for the first time into the EC2 instance, it provides you with the one-time password information and will log you out after the initialization for your user is complete. The next time you SSH to the instance, with your username, private key pair, you will be prompted to enter a time-based one-time password generated in an app like Google Authenticator, 1Password, Authy, etc.
I manually verified the SSH connectivity from the bastion host into an EC2 instance launched in the public subnet created from the startup-kits template, instances launched in private subnets of two availability zones created from the startup-kits template, and the connection to a database in a private subnet created from the startup-kits template. The security group of the EC2 instances launched is AppSecurityGroup (created from the vpc.cfn.yml of startup-kit template).
I also tested triggering alarms for more than three invalid users trying to SSH into the bastion host in less than a minute, and more than 15 closed connections received in 5 minutes caused by the use of bad private key pair or invalid usernames.