Bastion Zero

BastionZero delivers zero trust access without creating a single point of compromise. It pairs with your IdP to quickly grant access with policy controls and observability — without a mess of passwords, VPNs, and SSH keys.

Full Episode

Problem that Bastion Zero Fixes

Bastion Zero fixing some shortcomings with AWS Systems Manager Session Manager (SSM).

Before we can dive into the problems that it fixes lets first look at what AWS Systems Manager Session Manager does.

AWS Systems Manager Session Manager

A typical user would access their AWS infrastructure using AWS Systems Manager Session Manager (SSM)


AWS Systems Manager Session Manager (SSM) has many benefits to secure remote connections:

  • Inbound ports do not need to be open
  • SSH keys are not required
  • Access can be defined in IAM policies
  • Works with regular AWS command line Single Sign On (SSO) + Multi Factor Authentication (MFA) (triggered via Single Sign on)


  • SSH sessions are not recorded
  • IAM (Identity Access Manager) Policies are not user friendly
  • A SSO provider compromise could leave your infrastructure vulnerable

Enhancing Security

Use something like a Yubikey would improve your security when connecting to to SSM

Fixing all the Shortcomings (and Enhanced Security)

BastionZero has fixed these problems, and I like to call it AWS Systems Manager Session Manager on steroids!

Additional Independent MFA

Their product adds an additional independent MFA to the authentication process.  This means if Okta (for example) were compromised, or your employee was a victim of credential stuffing + MFA Push bombing, your infrastructure stays secure (as there is a separate, independent, MFA to Bastion Zero).

I put together a little video that shows how it works:


The BastionZero product is easy to deploy and will autodiscover your assets.

Policy Management

Their product also provides an easy way to manage which end users can access what asset (and role).

SSH Session Recording

Regular SSM does not record SSH sessions, but BastionZero does! Here is an example of how to view your recordings: