Skip to main content

Cost-efficient bastion host with a CLI tool for convenient access to your AWS resources

Project description

Basti CDK


Basti CDK is a construct library that allows you to create cost-efficient bastion instances and easily connect to your infrastructure with Basti CLI.

💵 No idle costs. 🔑 No SSH keys. 🔒 Fully IAM-driven.

Diagram

Table of contents


Why Basti?

With Basti, you can securely connect to your RDS/Aurora/Elasticache/EC2 instances in private VPC subnets from a local machine or CI/CD pipeline almost for free!

How it works

  • 🏰 Using Basti CDK, you set up a bastion instance in the connection target's VPC.
  • 🧑‍💻 You use Basti CLI to conveniently connect to your target through the bastion instance.
  • 💵 Basti takes care of keeping the bastion instance stopped when it's not used to make the solution cost as low as ≈ 0.01 USD per hour of connection plus ≈ 0.80 USD per month of maintaining the instance in a stopped state.
  • 🔒 Security completely relies on AWS Session Manager and IAM policies. The bastion instance is not accessible from the Internet and no SSH keys are used.

Installation

The construct is available in multiple languages thanks to JSII.

NPM

npm install basti-cdk

PyPI

pip install basti-cdk

API reference

See the full API reference on Construct Hub.

Examples

See the test CDK apps for working examples of each feature the library provides.

Basic usage

Basti constructs can be imported from the basti-cdk package.

import { BastiAccessSecurityGroup, BastiInstance } from 'basti-cdk';

💡 RDS instance is used as an example target. You can use Basti to connect to any other AWS resource that supports security groups.

Set up Basti instance

Use BastiInstance construct to create Basti EC2 instance.

const bastiInstance = new BastiInstance(stack, 'BastiInstance', {
  vpc,

  // Optional. Randomly generated if omitted.
  // Used to name the EC2 instance and other resources.
  // The resulting name will be "basti-instance-my-bastion"
  bastiId: 'my-bastion',
});

Allow connection to target

Use BastiAccessSecurityGroup construct to create a security group for your target. This security group will allow the Basti instance to connect to the target.

// Create a security group for your target
const bastiAccessSecurityGroup = new BastiAccessSecurityGroup(
  stack,
  'BastiAccessSecurityGroup',
  {
    vpc,

    // Optional. Randomly generated if omitted.
    // Used to name the security group and other resources.
    // The resulting name will be "basti-access-my-target"
    bastiId: 'my-target',
  }
);

// Create the target
const rdsInstance = new aws_rds.DatabaseInstance(stack, 'RdsInstance', {
  // Unrelated properties are omitted for brevity

  vpc,
  port: 5432,

  securityGroups: [bastiAccessSecurityGroup],
});

// Allow the Basti instance to connect to the target on the specified port
bastiAccessSecurityGroup.allowBastiInstanceConnection(
  bastiInstance,
  aws_ec2.Port.tcp(rdsInstance.instanceEndpoint.port)
);

Connect to target

When the stack is deployed, you can use Basti CLI to connect to your target.

basti connect

Advanced usage

Importing existing Basti instance

When sharing a Basti instance across stacks, you can just pass it as a property to the other stack. In case you need to import a Basti instance created in a separate CDK app or not managed by CDK at all, you can use the BastiInstance.fromBastiId method. The method returns an IBastiInstance object which is sufficient for granting access to a connection target.

// Most likely, the VPC was created separately as well
const vpc = aws_ec2.Vpc.fromLookup(stack, 'Vpc', {
  vpcName: 'existing-vpc-id',
});

const bastiInstance = BastiInstance.fromBastiId(
  this,
  'BastiInstance',
  // The BastiID of the Basti instance you want to import
  'existing-basti-id',
  vpc
);

// bastiInstance can now be used to allow access to a connection target
bastiAccessSecurityGroup.allowBastiInstanceConnection(
  bastiInstance,
  aws_ec2.Port.tcp(1717)
);

Granting access to use Basti instance

You can grant the ability to connect to a Basti instance to other resources (users, roles, etc.) using the grantBastiCliConnect method of an existing Basti instance.

const bastiInstance = new BastiInstance(/*...*/);
const grantee = new aws_iam.Role(/*...*/);

bastiInstance.grantBastiCliConnect(grantee);

License

Usage is provided under the MIT License. See LICENSE for the full details.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

basti_cdk-1.2.0.tar.gz (154.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

basti_cdk-1.2.0-py3-none-any.whl (153.1 kB view details)

Uploaded Python 3

File details

Details for the file basti_cdk-1.2.0.tar.gz.

File metadata

  • Download URL: basti_cdk-1.2.0.tar.gz
  • Upload date:
  • Size: 154.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.2

File hashes

Hashes for basti_cdk-1.2.0.tar.gz
Algorithm Hash digest
SHA256 3b75e1d37e609461251975cb5b932425c1b1d8c767ad4f78b2a897241ffcacea
MD5 4de89c6910a9cf65ac3be0c31520fa3e
BLAKE2b-256 803e1efa0d3a63b054d04d2af694f19f229bb5087d68df8062d41506c7e7fafd

See more details on using hashes here.

File details

Details for the file basti_cdk-1.2.0-py3-none-any.whl.

File metadata

  • Download URL: basti_cdk-1.2.0-py3-none-any.whl
  • Upload date:
  • Size: 153.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.2

File hashes

Hashes for basti_cdk-1.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 52ff7d30396e765399c4f6a3428521e0e0adb07481560cebce26811dcb384829
MD5 2b245185efd42b2a4868b10dfd26dc7f
BLAKE2b-256 4d101499e56b80468c08e5458a22977539f55a2aa6ecffe02dd2cf83fe9685ab

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page