Access to AWS that is temporary by default
Standing bastions, long-lived keys and always-on VPNs are the access you forget to close. We give your people governed, time-boxed access at every layer, then it tears itself down.
The access you grant should close itself
Most AWS access never gets revoked. A bastion stays up, a key keeps working, a console role stays broad. base2Services' Secure Access to AWS gives your people what they need at three layers, the network, the host and the account, scoped to the task and time-boxed, so the door is open only while someone is actually using it.
How people get in and how they get out
Someone needs in
A developer needs the VPC, a private host or another account, for a task, not forever.
Authenticate as themselves
Certificate, SSO or Active Directory for the VPN, their own IAM identity for a bastion, single sign-on for the access broker. No shared secret.
Get time-boxed access
A VPN session, an on-demand bastion or temporary cross-account credentials, scoped to what they actually need.
Connect, no open ports
Over Session Manager, SSH, RDP or the console, in your AWS accounts. No inbound ports left open and no shared keys handed around.
It expires
Bastions terminate when the session ends, credentials time out and VPN sessions close. Nothing is left standing.
It is audited
Every session is tied to the identity that opened it, so you can answer who had access to what and when.
Network access: a managed Client VPN
AWS Client VPN is fiddly to stand up and keep running. We wrap it with CloudFormation and automated certificates, so your people reach the VPC over a VPN that authenticates them as themselves and only routes what it should.
- Certificate, SSO and Active Directory authentication
- Split tunnel, so only your VPC routes go over the VPN
- Certificate users, routes and sessions managed for you
- Scheduled stop and start, so an idle VPN is not billing overnight
Host access: on-demand bastions, no standing host
Instead of a permanent bastion with open ports, launch a temporary one when you need it. It connects over AWS Session Manager, SSH or RDP, runs on spot and terminates itself when the session ends, so there is nothing standing to attack or to pay for.
- A temporary EC2 bastion over Session Manager, SSH or RDP
- Auto-terminates when the session ends, nothing left running
- Spot-priced by default, on demand when a session has to stick
- Linux and Windows, on a scoped, short-lived IAM role
Account access: a broker for temporary credentials
Instead of long-lived keys or broad console roles, people request access through a browser and get temporary credentials into the right account, scoped to what they should reach. Every grant is tied to an identity, so access across many accounts stays governed and auditable.
- Temporary credentials into the accounts a person should reach
- Browser-based, signed in through single sign-on
- Access is scoped and time-boxed, not a permanent key
- Every grant tied to an identity, for audit
Built by base2Services
This is how we get into the AWS accounts we manage, governed access that is temporary, scoped and logged, never a shared key in a password manager.
base2Services is an AWS Advanced Consulting Partner specialising in platform engineering and managed AWS operations. Secure Access to AWS is part of how we run AWS for people, not a side project. If you would rather not run it yourself, the team that built it sets it up and operates it across your accounts.
