Bastion CLI Volume Encryption and Type Configuration

Introduction

The Bastion CLI tool has been enhanced with new capabilities for managing EBS volume configurations when launching bastion instances. This release introduces two important features that provide users with greater control over the storage configuration of their bastion instances: volume encryption and volume type selection. These enhancements improve security posture and allow for performance optimization based on specific use cases.

Features

Volume Encryption Support

The bastion-cli now supports enabling or disabling EBS volume encryption when launching both Linux and Windows bastion instances. This feature addresses security requirements for organizations that mandate encrypted storage for all EC2 instances.

Key Details:

• Default Behavior: Volume encryption is enabled by default for all new bastion instances
• Configuration Option: Users can explicitly disable encryption if needed using the --volume-encryption flag
• Encryption Method: Uses AWS-managed encryption keys (AWS KMS)
• Compatibility: Works with both Linux and Windows bastion instances

Volume Type Configuration

Users can now specify the EBS volume type when launching bastion instances, allowing for performance and cost optimization based on specific requirements.

Supported Volume Types:

• gp2 (General Purpose SSD v2) - Default option
• gp3 (General Purpose SSD v3) - Latest generation with better price/performance
• io1 (Provisioned IOPS SSD v1) - For I/O intensive workloads
• io2 (Provisioned IOPS SSD v2) - Latest generation provisioned IOPS

Key Details:

• Default Volume Type: If not specified, defaults to gp2 for backward compatibility
• Volume Size: Fixed at 8 GiB for all bastion instances
• Delete on Termination: Volumes are automatically deleted when the bastion instance is terminated

Implementation Details

The implementation adds proper block device mapping configuration to the EC2 instance launch parameters:

• Device name is set to /dev/xvda (standard root device mapping)
• Volume size is fixed at 8 GiB
• Delete on termination is enabled to ensure cleanup
• Both encryption and volume type settings are applied to the root volume

Examples

Launching a Linux Bastion with Default Encryption

By default, encryption is enabled, so no additional flags are needed:

# Launch with encrypted volume (default behavior)
bastion launch --subnet-id subnet-xxxxxxxxx

Launching a Linux Bastion without Encryption

To explicitly disable encryption:

# Launch without encryption
bastion launch --subnet-id subnet-xxxxxxxxx --volume-encryption

Launching a Linux Bastion with GP3 Volume Type

To use the newer GP3 volume type for better price/performance:

# Launch with GP3 volume type
bastion launch --subnet-id subnet-xxxxxxxxx --volume-type gp3

Launching a Windows Bastion with IO2 Volume Type

For a Windows bastion requiring high-performance storage:

# Launch Windows bastion with IO2 volume
bastion launch-windows --subnet-id subnet-xxxxxxxxx --volume-type io2

Combining Volume Options

You can combine both options as needed:

# Launch with specific volume type and without encryption
bastion launch --subnet-id subnet-xxxxxxxxx --volume-type gp3 --volume-encryption

SSH Session with Encrypted GP3 Volume

For a secure SSH session with optimized storage:

# Launch SSH bastion with encrypted GP3 volume
bastion launch --ssh --ssh-key ~/.ssh/id_rsa.pub --volume-type gp3

Windows RDP Session with Custom Volume Configuration

For a Windows RDP session with specific storage requirements:

# Launch Windows RDP bastion with IO1 volume
bastion launch-windows --rdp --volume-type io1

Technical Implementation

The changes modify three key files in the bastion-cli codebase:

1. ec2.go: Updated the StartEc2 function to accept volume encryption and type parameters, and added block device mapping configuration
2. launch.go: Modified both Linux and Windows launch functions to handle the new volume parameters
3. main.go: Added CLI flags for both --volume-encryption and --volume-type options

The implementation ensures backward compatibility while providing sensible defaults that align with security best practices.

Conclusion

This release enhances the Bastion CLI tool with important storage configuration options that improve both security and flexibility. The default encryption setting helps organizations maintain compliance with security policies, while the volume type selection allows for performance optimization based on specific use cases. These features are immediately available in the latest version of bastion-cli and can be used with both Linux and Windows bastion instances.

Users are encouraged to review their bastion launch scripts and consider adopting the GP3 volume type for better price/performance ratios. The encryption default aligns with AWS security best practices and should be suitable for most use cases.

For any questions or issues related to these new features, please refer to the Bastion CLI GitHub repository or contact the Base2 Services support team.