AWS Security ChangesHomeSearch

AWS prescriptive-guidance documentation change

Service: prescriptive-guidance · 2025-05-13 · Documentation low

File: prescriptive-guidance/latest/patterns/access-a-bastion-host-by-using-session-manager-and-amazon-ec2-instance-connect.md

Summary

Multiple minor documentation updates including branding consistency (changing 'EC2' to 'Amazon EC2', 'S3' to 'Amazon S3'), typo fixes ('Session Manger' to 'Session Manager'), and link text improvements

Security assessment

Changes are primarily editorial improvements and branding consistency updates. No new security controls, vulnerabilities, or security features are introduced. Existing security-related content (e.g., principle of least privilege, secure instance configuration) remains unchanged in substance.

Diff

diff --git a/prescriptive-guidance/latest/patterns/access-a-bastion-host-by-using-session-manager-and-amazon-ec2-instance-connect.md b/prescriptive-guidance/latest/patterns/access-a-bastion-host-by-using-session-manager-and-amazon-ec2-instance-connect.md
index 6f5cf5aba..ba2a6062c 100644
--- a//prescriptive-guidance/latest/patterns/access-a-bastion-host-by-using-session-manager-and-amazon-ec2-instance-connect.md
+++ b//prescriptive-guidance/latest/patterns/access-a-bastion-host-by-using-session-manager-and-amazon-ec2-instance-connect.md
@@ -26 +26 @@ This pattern describes how you can use [Session Manager](https://docs.aws.amazon
-This pattern is intended for readers who have experience with basic understanding of Amazon EC2, Amazon Virtual Private Cloud (VPC), and Hashicorp Terraform.
+This pattern is intended for readers who have experience with basic understanding of Amazon EC2, Amazon Virtual Private Cloud (Amazon VPC), and Hashicorp Terraform.
@@ -40 +40 @@ This pattern is intended for readers who have experience with basic understandin
-  * Storage for the Terraform [state](https://developer.hashicorp.com/terraform/language/state), such as an Amazon Simple Storage Service (Amazon S3) bucket and an Amazon DynamoDB table that serve as a remote backend to store the Terraform state. For more information on using remote backends for the Terraform state, see [S3 Backends](https://www.terraform.io/language/settings/backends/s3) (Terraform documentation). For a code sample that sets up remote state management with an S3 backend, see [remote-state-s3-backend](https://registry.terraform.io/modules/nozaq/remote-state-s3-backend/aws/latest) (Terraform Registry). Note the following requirements:
+  * Storage for the Terraform [state](https://developer.hashicorp.com/terraform/language/state), such as an Amazon Simple Storage Service (Amazon S3) bucket and an Amazon DynamoDB table that serve as a remote backend to store the Terraform state. For more information on using remote backends for the Terraform state, see [Amazon S3 Backends](https://www.terraform.io/language/settings/backends/s3) (Terraform documentation). For a code sample that sets up remote state management with an Amazon S3 backend, see [remote-state-s3-backend](https://registry.terraform.io/modules/nozaq/remote-state-s3-backend/aws/latest) (Terraform Registry). Note the following requirements:
@@ -42 +42 @@ This pattern is intended for readers who have experience with basic understandin
-    * The S3 bucket and DynamoDB table must be in the same AWS Region.
+    * The Amazon S3 bucket and DynamoDB table must be in the same AWS Region.
@@ -61 +61 @@ Amazon Linux 2 is nearing end of support. For more information, see the [Amazon
-  * In this pattern, the bastion host is located in a private subnet without an NAT gateway and internet gateway. This design isolates the EC2 instance from the public internet. You can add a specific network configuration that allows it to communicate with the internet. For more information, see [Connect your virtual private cloud (VPC) to other networks](https://docs.aws.amazon.com/vpc/latest/userguide/extend-intro.html) in the Amazon VPC documentation. Similarly, following the [principle of least privilege](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege), the bastion host doesn’t have access to any other resources in your AWS account unless you explicitly grant permissions. For more information, see [Resource-based policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_resource-based) in the IAM documentation.
+  * In this pattern, the bastion host is located in a private subnet without an NAT gateway and internet gateway. This design isolates the Amazon EC2 instance from the public internet. You can add a specific network configuration that allows it to communicate with the internet. For more information, see [Connect your virtual private cloud (VPC) to other networks](https://docs.aws.amazon.com/vpc/latest/userguide/extend-intro.html) in the Amazon VPC documentation. Similarly, following the [principle of least privilege](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege), the bastion host doesn’t have access to any other resources in your AWS account unless you explicitly grant permissions. For more information, see [Resource-based policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_resource-based) in the IAM documentation.
@@ -83 +83 @@ Amazon Linux 2 is nearing end of support. For more information, see the [Amazon
-    * `amazonaws.<region>.ssm` – The endpoint for the Systems Manager service.
+    * `amazonaws.<region>.ssm` – The endpoint for the AWS Systems Manager service.
@@ -87 +87 @@ Amazon Linux 2 is nearing end of support. For more information, see the [Amazon
-    * `amazonaws.<region>.ssmmessages` – Session Manager uses this endpoint to connect to your EC2 instance through a secure data channel.
+    * `amazonaws.<region>.ssmmessages` – Session Manager uses this endpoint to connect to your Amazon EC2 instance through a secure data channel.
@@ -89 +89 @@ Amazon Linux 2 is nearing end of support. For more information, see the [Amazon
-  * A `t3.nano` EC2 instance running Amazon Linux 2
+  * A `t3.nano` Amazon EC2 instance running Amazon Linux 2
@@ -93 +93 @@ Amazon Linux 2 is nearing end of support. For more information, see the [Amazon
-  * Amazon VPC security groups and security group rules for the endpoints and EC2 instance
+  * Amazon VPC security groups and security group rules for the endpoints and Amazon EC2 instance
@@ -106 +106 @@ The diagram shows the following process:
-     * Authenticate, authorize, and connect to the EC2 instance
+     * Authenticate, authorize, and connect to the Amazon EC2 instance
@@ -140 +140 @@ The following options are available to automate deployment or to scale this arch
-  * [AWS Command Line Interface (AWS CLI)](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html) is an open-source tool that helps you interact with AWS services through commands in your command-line shell.
+  * [AWS Command Line Interface (AWS CLI)](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html) is an open source tool that helps you interact with AWS services through commands in your command-line shell.
@@ -146 +146 @@ The following options are available to automate deployment or to scale this arch
-  * [AWS Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html) helps you manage your applications and infrastructure running in the AWS Cloud. It simplifies application and resource management, shortens the time to detect and resolve operational problems, and helps you manage your AWS resources securely at scale. This pattern uses [Session Manger](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html), a capability of Systems Manager.
+  * [AWS Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html) helps you manage your applications and infrastructure running in the AWS Cloud. It simplifies application and resource management, shortens the time to detect and resolve operational problems, and helps you manage your AWS resources securely at scale. This pattern uses [Session Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html), a capability of Systems Manager.
@@ -155 +155 @@ The following options are available to automate deployment or to scale this arch
-  * [ HashiCorp Terraform](https://www.terraform.io/docs) is an open-source infrastructure as code (IaC) tool that helps you use code to provision and manage cloud infrastructure and resources. This pattern uses [Terraform CLI](https://developer.hashicorp.com/terraform/cli).
+  * [ HashiCorp Terraform](https://www.terraform.io/docs) is an infrastructure as code (IaC) tool that helps you use code to provision and manage cloud infrastructure and resources. This pattern uses [Terraform CLI](https://developer.hashicorp.com/terraform/cli).
@@ -170 +170 @@ The code for this pattern is available in the GitHub [Access a bastion host by u
-  * During deployment, Terraform uses the replaces the EC2 instance each time a new version of the [Amazon Linux 2 AMI](https://aws.amazon.com/marketplace/pp/prodview-zc4x2k7vt6rpu?sr=0-1&ref_=beagle&applicationId=AWSMPContessa) is detected. This deploys the new version of the operating system, including patches and upgrades. If the deployment schedule is infrequent, this can pose a security risk because the instance doesn’t have the latest patches. It is important to frequently update and apply security patches to deployed EC2 instances. For more information, see [Update management in Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/update-management.html).
+  * During deployment, Terraform uses the replaces the Amazon EC2 instance each time a new version of the [Amazon Linux 2 AMI](https://aws.amazon.com/marketplace/pp/prodview-zc4x2k7vt6rpu?sr=0-1&ref_=beagle&applicationId=AWSMPContessa) is detected. This deploys the new version of the operating system, including patches and upgrades. If the deployment schedule is infrequent, this can pose a security risk because the instance doesn’t have the latest patches. It is important to frequently update and apply security patches to deployed Amazon EC2 instances. For more information, see [Update management in Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/update-management.html).
@@ -201 +201 @@ Initialize the Terraform working directory.| This step is necessary for only the
-  * `$S3_STATE_BUCKET` is the name of S3 bucket that contains the Terraform state
+  * `$S3_STATE_BUCKET` is the name of Amazon S3 bucket that contains the Terraform state
@@ -203 +203 @@ Initialize the Terraform working directory.| This step is necessary for only the
-  * `$AWS_REGION` is the Region where the S3 bucket is deployed
+  * `$AWS_REGION` is the Region where the Amazon S3 bucket is deployed
@@ -241,2 +241,2 @@ Get the instance ID.|
-  1. In order to connect to the deployed bastion host, you need the ID of the EC2 instance. Do one of the following to locate the ID:
-     * Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/). In the navigation pane, choose **Instances**. Locate the bastion host instance.
+  1. In order to connect to the deployed bastion host, you need the ID of the Amazon EC2 instance. Do one of the following to locate the ID:
+     * Open the [Amazon EC2 console](https://console.aws.amazon.com/ec2/). In the navigation pane, choose **Instances**. Locate the bastion host instance.
@@ -255 +255 @@ To filter the results, enter the following command, where `$BASTION_HOST_TAG` is
-  2. Copy the ID of the EC2 instance. You use this ID later.
+  2. Copy the ID of the Amazon EC2 instance. You use this ID later.
@@ -264,2 +264,2 @@ In this section, you upload the public key to the [instance metadata](https://do
-  1. Send the SSH key to the bastion host by using EC2 Instance Connect. Enter the following command, where:
-     * `$INSTANCE_ID` is the ID of the EC2 instance
+  1. Send the SSH key to the bastion host by using Amazon EC2 Instance Connect. Enter the following command, where:
+     * `$INSTANCE_ID` is the ID of the Amazon EC2 instance
@@ -284 +284 @@ Connect to the bastion host.|
-     * `$INSTANCE_ID` is the ID of the EC2 instance
+     * `$INSTANCE_ID` is the ID of the Amazon EC2 instance
@@ -366 +366 @@ Issue| Solution
-You can use the `-D 8888` option to open an SSH connection with dynamic port forwarding. For more information, see [these instructions](https://explainshell.com/explain?cmd=ssh+-i+%24PRIVATE_KEY_FILE+-D+8888+ec2-user%40%24INSTANCE_ID) at explainshell.com. The following is an example of a command to open an SSH connection by using port forwarding.
+You can use the `-D 8888` option to open an SSH connection with dynamic port forwarding. For more information, see the [instructions](https://explainshell.com/explain?cmd=ssh+-i+%24PRIVATE_KEY_FILE+-D+8888+ec2-user%40%24INSTANCE_ID) at explainshell.com. The following is an example of a command to open an SSH connection by using port forwarding.
@@ -375 +375 @@ _Using the provided script_
-Instead of manually running the steps described in _Connect to the bastion host by using Session Manager_ in the Epics section, you can use the **connect.sh** script included in the code repository. This script generates the SSH key pair, pushes the public key to the EC2 instance, and initiates a connection with the bastion host. When you run the script, you pass the tag and key name as arguments. The following is an example of the command to run the script.
+Instead of manually running the steps described in _Connect to the bastion host by using Session Manager_ in the Epics section, you can use the **connect.sh** script included in the code repository. This script generates the SSH key pair, pushes the public key to the Amazon EC2 instance, and initiates a connection with the bastion host. When you run the script, you pass the tag and key name as arguments. The following is an example of the command to run the script.