All posts
September 5, 20251 min read

Replace Your AWS Bastion Host with AWS CLI and Session Manager

Bastion hosts have been the safety lock of private AWS networks for years. They guard access, but they are fragile, costly to maintain, and often slow to use. Every engineer has a story about being stuck waiting for access through a chain of SSH hops, IAM rules, or outdated security groups. The AWS CLI can help, but replacing a bastion host entirely is easier than you think. The old bastion model forces all traffic through a single point. Logs scatter across systems. Patching the host is manual

Free White Paper

AWS Secrets Manager + Session Management: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

Bastion hosts have been the safety lock of private AWS networks for years. They guard access, but they are fragile, costly to maintain, and often slow to use. Every engineer has a story about being stuck waiting for access through a chain of SSH hops, IAM rules, or outdated security groups. The AWS CLI can help, but replacing a bastion host entirely is easier than you think.

The old bastion model forces all traffic through a single point. Logs scatter across systems. Patching the host is manual. Rotation of keys is a chore that only grows with team size. And every manual step becomes a future failure point.

Replacing a bastion host with an AWS CLI–driven workflow removes those bottlenecks. By using AWS Systems Manager Session Manager, you connect directly to EC2 instances without an open inbound port. No public IP. No exposed SSH. Authentication happens through IAM, with every session logged in CloudWatch or S3. This is more secure, but also faster.

A CLI-based approach means you can:

Continue reading? Get the full guide.

AWS Secrets Manager + Session Management: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.
  • Start a connection with one command:
aws ssm start-session --target i-0abcd1234efgh5678
  • Enforce least privilege with IAM policies
  • Skip managing SSH keys entirely
  • Eliminate security group holes for inbound ports
  • Gain session recording out of the box

Migration is straightforward. Install the latest AWS CLI v2. Ensure the SSM agent is running on each instance. Enable SSM in the instance role. Test connectivity with a non-production instance. Once confirmed, remove the bastion host from the topology and close old ingress rules.

Security teams appreciate that each connection is encrypted end-to-end, fully auditable, and tied to IAM identities. Developers like that it’s instant. Ops likes that there is no new host to patch. Costs drop because you’re running zero bastion instances.

The result: simpler architecture, faster access, lower risk. Bastion host replacement isn’t a theory anymore. It’s built into AWS CLI and ready right now.

You can see this in action without writing extra automation. Hoop.dev lets you set up secure, auditable cloud access in minutes — no bastion, no delays. Try it today and watch your AWS CLI replace the old guard for good.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts