Web Access Bastion Best Practices

  • Web Access Bastions Location should be close as possible to your Gateway to minimize latency. Use SRA Bastion on any environment or region, with a dedicated Gateway. In addition, your Bastion server should run with a dedicated Identity in an isolated environment.

  • Configure TLS - Akeyless Bastion should always be used with TLS. In case you are working with Load Balancers, or reverse proxies in front of your Bastion, TLS should be used for all network connections to ensure all traffic is encrypted at transit.

  • Isolation mode - Can be set with list permissions to ensure users will get their access only via isolated sessions. In addition, whitelist the relevant domains, as well as force HTTPS connections only to enable credentials injection.

  • Required resources - Default is set to 1Gb memory, in case your web targets require high resolution, or for multiple concurrent sessions increase the resources up to your needs.

  • Forward Logs - From your bastions to any logging system, to constantly track and monitor your user's activity.

Did this page help you?