Treat bastion access as a privileged session path that needs explicit approval, logging, and revocation. Restrict who can use agent forwarding, limit which internal hosts are reachable, and ensure each hop is tied to an accountable operator. If the bastion cannot support those controls, it is expanding risk rather than reducing it.
Why This Matters for Security Teams
SSH bastions are supposed to narrow privileged access, but in practice they often become the most sensitive transit point in the environment. If session approval, destination restrictions, and revocation are weak, the bastion turns into a durable privilege relay rather than a control point. That is the same failure pattern described across NHI governance research in the Ultimate Guide to NHIs and the 52 NHI Breaches Analysis, where overexposed credentials and weak revocation repeatedly compound blast radius.
For security teams, the operational question is not whether the bastion is logged, but whether the logs are tied to accountable operators, whether the path is constrained to specific hosts, and whether access expires when the task ends. NIST guidance on governance and continuous monitoring in the NIST Cybersecurity Framework 2.0 maps well to this problem because bastion access is a privileged workflow, not a static entitlement. In practice, many security teams discover that the bastion was treated as “secure by placement” only after lateral movement had already used it as a trusted jump point.
How It Works in Practice
Effective bastion governance starts by treating each SSH session as a privileged access event with a defined purpose, bounded duration, and named operator. That means approval before use, session recording where feasible, and automatic revocation when the task ends. The bastion should not be a general-purpose relay. It should enforce destination allowlists, disable or tightly control agent forwarding, and prevent unrestricted shell chaining into internal systems.
Modern guidance also pushes teams to align bastion access with least privilege and auditability. The OWASP Non-Human Identity Top 10 is useful here because the bastion often mediates machine-to-machine access as well as human admin access, and those credentials must be governed as secrets, not convenience tokens. NHIMG research in the Lifecycle Processes for Managing NHIs reinforces the need for issuance, monitoring, rotation, and offboarding as a single control loop rather than separate tasks.
- Approve access per session, not per role alone.
- Bind every jump to an identifiable operator and ticket or change record.
- Restrict reachable hosts, ports, and commands to the minimum required.
- Log command activity and session metadata with tamper-resistant retention.
- Revoke credentials or certificates immediately after use.
Where possible, integrate the bastion with centralized identity, short-lived credentials, and policy-based authorization so access decisions happen at runtime, not only during provisioning. These controls tend to break down when legacy admin workflows require persistent sudo access across many hosts, because the bastion then becomes a bypass path for standing privilege.
Common Variations and Edge Cases
Tighter bastion control often increases administrative overhead, so teams have to balance security against incident-response speed and operational continuity. That tradeoff is real, especially in production recovery scenarios where engineers need rapid access and pre-approval may slow remediation. Current guidance suggests using break-glass access with stronger logging and post-event review rather than weakening the standard path for everyone.
There is also no universal standard for agent forwarding in privileged environments. Best practice is evolving, but most mature programs either disable it or allow it only for narrowly scoped use cases with explicit justification. The same caution applies to port forwarding, nested SSH hops, and shared admin accounts. If a bastion cannot tie each hop to one accountable operator, the control story is incomplete.
For environments with contractors, third parties, or automation, the bastion should distinguish human interactive access from non-human administrative workflows. That distinction matters because machine identities often need shorter-lived credentials, stricter destination controls, and more rigorous offboarding. NHIMG’s Regulatory and Audit Perspectives section is a useful reference when auditors expect evidence of session accountability, rotation, and timely revocation. In practice, bastion governance usually fails first in hybrid estates where old SSH habits, shared credentials, and emergency access all intersect.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Bastions depend on rotation and revocation of privileged secrets. |
| NIST CSF 2.0 | PR.AC-4 | Bastion access must enforce least privilege and controlled remote access. |
| CSA MAESTRO | MAESTRO emphasizes agent/session governance and runtime control for privileged workflows. |
Limit bastion reachability to approved targets and require named, attributable access for each session.
Related resources from NHI Mgmt Group
- How should security teams log privileged SSH access from bastion hosts?
- How should security teams govern SSH keys in cloud and server environments?
- How should security teams govern privileged access when replacing VPN access with gateway-based controls?
- How should security teams govern SSH tunneling in production environments?
