Skip to main content

ADR-003 - Controlled Administrative Access via Bastion

Context

At the current stage, administrative access to systems is partially performed:

  • from a personal workstation
  • via direct SSH access to exposed systems

This creates several risks:

  • lack of centralized control over administrative sessions
  • limited traceability of actions
  • increased exposure of privileged access paths
  • inconsistent enforcement of authentication policies

This situation is identified as temporary and not aligned with target architecture principles.

Decision

Introduce a controlled administrative access model based on a bastion host:

  • all administrative access must transit through the bastion
  • direct access to infrastructure systems is restricted or removed
  • authentication is strengthened (SSH keys, MFA where possible)
  • administrative sessions become auditable

Rationale

  • Controlled access paths
    Centralizes and restricts privileged access.

  • Traceability
    Enables logging and monitoring of administrative actions.

  • Reduced exposure
    Limits direct access from external or uncontrolled environments.

  • Alignment with architecture principles
    Reinforces segmentation and trust boundary enforcement.

Alternatives Considered

1. Direct SSH access with hardening

Rejected
Still exposes multiple administrative entry points.

2. VPN-only access model

Partially acceptable but insufficient alone
Does not provide session-level control or traceability.

3. Bastion-based access control (selected)

Accepted
Provides centralized, auditable and controlled access path.

Security Impact

Positive

  • reduced attack surface for administrative access
  • improved traceability and auditability
  • stronger authentication enforcement
  • better separation between user and admin contexts

Negative / Trade-offs

  • added operational complexity
  • dependency on bastion availability
  • need for secure bastion hardening

Implementation Notes

  • deploy bastion host in a controlled zone (Hell)
  • restrict SSH access on all systems to bastion only
  • enforce key-based authentication
  • progressively introduce MFA
  • implement session logging where feasible

Evidence & Traceability

Linked to:

  • risks involving credential compromise or misuse
  • identity and access management documentation
  • future audit and access review processes

Current Maturity

At the current stage, administrative access control is considered partially implemented.

Established

  • identification of risks related to admin access
  • definition of target bastion-based model

In Progress

  • deployment of bastion host
  • progressive restriction of direct access paths
  • initial hardening of administrative access

Planned / Next Phase

  • full enforcement of bastion-only access
  • MFA generalization
  • session traceability and logging improvements