EC2 SSH Jump Box Design

Create an EC2 SSH jump box in just a few minutes.

What's a Jump Box?

An SSH Jump Box is simply a single, hardened server that you "jump" through in order to access other servers on the inner network. Sometimes called a bastion or relay host, it's simply a server that all of your users can log into and use as a relay server to connect to other servers.

This article is geared for EC2 deployment inside a VPC but this design should work anywhere you can use Userify, such as in your own Datacenter, Google, Azure, etc.

To build a jumpbox with Userify, just create a Jumpbox group and paste the regular Userify cloudinit script into the EC2 script box!


  1. Create a Userify Project called "Jumpbox" with a Userify Server Group called "Production".

  2. Enable each of the users (only 'user' permission is needed) that will log into any server in that particular VPC or environment.

  3. For each group, launch a new jump box instance for each of your environments or VPC's. (In a VPC, launch it in your public subnet. For EC2 Classic, launch it anywhere.)

  4. Paste in the UserData (CloudInit) script into the "Advanced" section on the "Instance Details" launch page and launch!

  5. You're done!

Lock down the other servers in the VPC and the Jumpbox (see below) as needed.

How to Log In

  1. First SSH into the Jump Box. Use the -A switch, which allows forwarding of the connection beyond the Jumpbox. (This works on both Linux and Mac; Windows users should enable "Allow Agent Forwarding" under the Connection > SSH > Auth section of the Jumpbox Putty connection.)

  2. Once logged into the Jumpbox, simply ssh into the desired server! Use of -A is no longer necessary.

Security Considerations and Tips

  • Obviously your servers no longer need port 22 available to the outside world -- but the Jump box still needs access to them!

  • An effective Jump Box will simply contain the minimal software needed to run an SSH server and the Userify agent. Use whatever hardening techniques you prefer on this server.

  • Users only need user level permissions unless they need to administer the jumpbox server itself.

  • Many users harden the instance, install fail2ban or denyhosts, change the default port 22 to an unusually high port (such as 31000), or even block access from unknown networks.

  • You only need one Jumpbox for each network. Although you could create multiple for high availability in some circumstances, it might be easier to create an Auto-scaling Group (ASG) with a minimum and maximum size of one. The only requirement is that the Userify shim gets installed on it (see step 4), making it about the simplest ASG possible!

  • You can lock down users by each of your environments (dev, staging, test) or for each of your regions (east, west, etc). Just add an extra Jump Box for each environment and configure your AWS security groups (firewall) to only allow SSH access from the Jumpbox for that environment.

  • As with any Jump Box, users with 'root' permission can hijack other users' session and possibly gain root access to servers they wouldn't otherwise have access to.