亚马逊AWS官方博客

Farewell to Bastion Hosts: Achieving Secure and Intelligent Operations for Private Subnets Using AWS EICE (EC2 Instance Connect Endpoint) and Chaterm

English version | 中文版本

Summary: This article introduces the integration of Chaterm, an AI-powered terminal tool, with AWS EC2 Instance Connect Endpoint(EICE) to address operational challenges in private subnets. Traditional approaches require VPNs or bastion hosts,whereas EICE leverages IAM-based authentication to establish secure connections without public IP addresses. Chaterm wraps the EICE capability with cross-platform auto-adaptation and a visual interface. More importantly, its built-in AI Agent can perform intelligent health checks, fault diagnosis, and batch management directly on private EC2 instances —significantly improving both operational efficiency and security.

1. Introduction

When building enterprise-grade AWS architectures, we typically follow the best practice of “layered security”: deploying databases, middleware, and core application servers in Private Subnets, without assigning public IPs.

However, this highly secure architectural design often creates a “last mile” challenge for day-to-day operations:

  • Complex Connectivity: Operations personnel either need to configure complex VPNs or set up and maintain dedicated EC2 jump servers (Bastion Hosts).
  • Fragmented Environments: Different local OS environments across team members (Windows/Mac/Linux) lead to chaotic SSH key management, inconsistent AWS CLI versions, and high onboarding costs for new team members.
  • Hindered Intelligence: In the era of AIOps, many locally-running AI-assisted tools cannot penetrate complex network tunnels to directly perform intelligent diagnostics on instances within private subnets.

We will introduce an open-source intelligent terminal tool deeply integrated with AWS native capabilities — Chaterm, and demonstrate how it combines with AWS EC2 Instance Connect Endpoint (EICE) to achieve “one-click direct connection” and AI empowerment for private resources without exposing public ports.

2. What is Chaterm?

Chaterm is an open-source intelligent terminal tool developed by IntSig. Unlike traditional SSH clients, its core philosophy is “Chat with Terminal”. It is not just a connection tool — it has a powerful built-in AI Agent that can understand terminal context, help developers explain errors, generate commands, and even automatically write scripts.

In its latest version, Chaterm has launched an AWS EC2 plugin that fundamentally transforms the operations experience for private cloud resources through deep integration with AWS’s modern connectivity technologies.

3. AWS EC2 Instance Connect Endpoint — Technical Deep Dive

3.1 Why is this solution more advanced than traditional bastion hosts?

The EC2 Instance Connect Endpoint (EICE) feature, launched by AWS in 2023, elevates connection control from the “network layer” to the “identity layer”.

  • No Public IP Required: EICE is a logical interface (Endpoint) deployed within the user’s VPC. It acts like an “invisible gateway”, allowing SSH traffic to reach target instances directly through AWS’s private network tunnel.
  • Identity as the Defense Line: Traditional connectivity relies on IP whitelisting or SSH key distribution, whereas EICE relies on AWS IAM (Identity and Access Management) for authentication. This means all connection requests go through IAM permission verification and are audit-logged by CloudTrail.
  • Zero Trust Architecture: EC2 instance security groups no longer need to open port 22 to the public internet (0.0.0.0/0) — they only need to allow traffic from the subnet where EICE is located.

4. The Solution: Dual Advantages of Chaterm + AWS EICE

Chaterm’s AWS plugin encapsulates EICE’s powerful capabilities behind a clean UI, primarily solving the following problems:

4.1 Simpler Connections with Adaptive Environment

Traditionally, using EICE requires memorizing lengthy AWS CLI commands (such as aws ec2-instance-connect open-tunnel). Chaterm’s plugin has a built-in cross-platform (Windows/macOS/Linux) AWS CLI environment that automatically completes dependency adaptation during plugin installation.

After configuring AWS credentials (Access Key / Secret Key), the plugin will automatically discover resources through the AWS API. Users simply click on an instance in the visual list, and the plugin will automatically generate the SSH ProxyCommand and establish an encrypted tunnel in the background

[Image1]

4.2 Unlocking the Full Potential of AI Operations

This is the biggest highlight of this solution. Previously, after connecting to a private network EC2 instance, local AI tools were often “out of reach”.

Since Chaterm establishes a transparent tunnel, its built-in AI Agent can operate private network EC2 instances as if operating a local machine. Once connected, Chaterm’s full AI capabilities take effect immediately:

  • Intelligent Inspection: You can directly ask the AI: “Help me check the disk usage.” The AI will automatically execute df -h and present the output in a formatted manner.
  • Fault Diagnosis: Describe the symptoms (e.g., “Web service response is slow”), and the AI will automatically execute a series of diagnostic commands like top, ps, netstat, and generate an analysis report. Compared to manually typing commands one by one, the efficiency improvement is significant.
  • Batch Operations: Using Chaterm’s multi-session feature, you can simultaneously select 10 private network servers and have the AI assist with batch configuration update distribution.

[Image2]

5. Practical Guide: How to Configure

To ensure security, we will follow AWS’s Least Privilege Principle for configuration.

5.1 Step 1: AWS-Side Configuration (One-Time Setup)

5.1.1 Create an EC2 Instance Connect Endpoint

Create an EICE in the VPC console or using CLI, ensuring you select the target private subnet:

aws ec2 create-instance-connect-endpoint \
--region cn-north-1 \
--subnet-id subnet-xxxxxx \
--security-group-ids sg-xxxxxx \
--preserve-client-ip

5.1.2 Configure Security Groups

Modify the target EC2’s security group to only allow SSH (port 22) traffic from the EICE security group ID.

5.1.3 Create a Dedicated IAM User and Policy

We strongly recommend not directly using administrator-privileged AK/SK. Please create a dedicated IAM user and grant only the following fine-grained permissions (restricting tunnel establishment to specific resources and ports):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeSubnets",
                "ec2:DescribeInstanceConnectEndpoints"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "ec2-instance-connect:OpenTunnel",
            "Resource": "arn:aws:ec2:*:*:instance-connect-endpoint/*",
            "Condition": {
                "NumericEquals": {
                    "ec2-instance-connect:remotePort": "22"
                }
            }
        }
    ]
}

5.2 Step 2: Chaterm-Side Configuration (Only Takes 2 Minutes)

  1. Open Chaterm, search for and install the “AWS EC2” plugin in the plugin marketplace.
  2. Go to plugin settings, and enter the Access Key (AK), Secret Key (SK), and target Region (e.g., cn-north-1) of the IAM user created in the previous step.
  3. Return to the main interface — your private network instance list will load automatically. Select an instance and click “Connect”.

6. Summary

Through deep integration with AWS EC2 Instance Connect Endpoint, Chaterm provides developers with a connection solution that is both enterprise security-compliant (no public IP, IAM auditing) and delivers an excellent user experience (no bastion hosts, AI-empowered).

If you are looking for a more secure and intelligent way to manage your AWS private subnet resources, Chaterm is undoubtedly one of the best practices available today.

[Image3]

➡️ Next Steps:

Related Products:

  • Amazon EC2 — Secure and resizable compute capacity for virtually any workload
  • Amazon Connect — AI-native omnichannel cloud contact center
  • Amazon IAM — Management of identities and access to AWS services and resources
  • Amazon VPC — Isolated cloud network to launch AWS resources
  • Amazon Batch — Fully managed batch processing at any scale

*Amazon Web Services currently deploys the aforementioned certain generative AI-related services in Global regions. Amazon Web Services China region services are operated by NWCD and Sinnet, with more details at the official Amazon Web Services China region website.

Authors

Hu Zhishang

Operations & Development Engineer at IntSig. 5+ years of IT experience, focused on system operations automation and cloud platform technologies, dedicated to optimizing enterprise infrastructure architecture and improving operational efficiency.

Zhao Hui

Technical Account Manager at NWCD (Northwest Cloud Data). 15+ years of IT-related experience. Focused on the automotive industry, dedicated to architecture and cost optimization for enterprise customers.

Guo Zhongwei

Senior TAM at AWS, driving architecture optimization and operational excellence for enterprise customers, with a focus on GenAI and AIOps adoption. Previously 16 years at Tencent and Oracle, leading enterprise database implementations for banking and insurance.