Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

High memory usage and slowness on EC2 bastion host due to multiple Chrome GUI sessions

0

We are experiencing performance issues on a bastion host running on EC2 m6i.xlarge (16GB RAM) in our AWS environment.

The bastion host is used by multiple administrators to access private instances in the VPC. However, several users are currently running Google Chrome sessions directly on the bastion host through the GUI environment.

We are observing the following symptoms: • High memory usage (~12GB out of 16GB RAM) • System slowness and intermittent latency when connecting via SSH • Multiple Chrome renderer processes consuming large amounts of memory

Example output from ps aux --sort=-%mem shows multiple Chrome renderer processes: /opt/google/chrome/chrome --type=renderer ...

From a bastion host architecture perspective, our understanding is that bastion hosts should ideally be minimal systems used only for administrative access (SSH/CLI) to private resources.

We would like clarification from the AWS community whether is it considered a best practice to run GUI applications such as Chrome on bastion hosts?

Environment: • EC2 instance type: m6i.xlarge • OS: Ubuntu • Bastion used to access private EC2 instances • Multiple users connecting concurrently

Any recommendations or references to AWS documentation would be greatly appreciated.

Thank you.

Topics
Compute
Tags
Amazon EC2
Language
English
asked 2 months ago54 views
1 Answer
0

You are correct in your understanding that running GUI applications like Chrome on a bastion host is not aligned with AWS best practices. Bastion hosts are intended to serve as secure, minimal jump points for administrative access to private resources within your VPC, not as general-purpose workstations.

From an architectural perspective, bastion hosts should be:

Minimal and Purpose-Built: They should only run the essential services needed for secure access (SSH/RDP) to private resources. Running resource-intensive GUI applications like Chrome introduces unnecessary overhead and security risks.

Secured and Controlled: The more software and services running on a bastion host, the larger the attack surface. A bastion host exposed to external networks should be hardened and limited to its core function of providing controlled access.

Recommendations to Address Your Issue:

  1. Separate Workstation Access from Bastion Access: Users should not be using the bastion host as a workstation. Chrome and other GUI applications should run on users' local machines or dedicated virtual desktop instances, not on the bastion host itself.

  2. Consider AWS CloudShell as an Alternative: AWS CloudShell provides a browser-based shell environment that can be configured to run inside your VPC (CloudShell VPC). This eliminates the need to manage bastion host infrastructure entirely, as AWS handles all underlying maintenance, patching, and security. CloudShell VPC provides:

  • Zero infrastructure maintenance
  • IAM-controlled access without SSH key management
  • Direct access to private VPC resources
  • No public IP exposure
  • Automatic session expiration for enhanced security

  1. Use AWS Systems Manager Session Manager: This allows secure access to EC2 instances without requiring open inbound ports or managing SSH keys. It provides audit logging and can be used instead of traditional SSH through a bastion host.

  2. Implement Proper Access Controls: Use IAM policies to control who can access the bastion host and ensure users understand it should only be used for SSH/CLI access to private resources, not as a general-purpose system.

  3. Right-Size or Reconfigure: If you must continue using the current bastion host, consider either upgrading the instance type or, better yet, reconfiguring user workflows to eliminate GUI usage entirely from the bastion host.

The performance issues you're experiencing are a direct result of using the bastion host outside its intended purpose. Addressing the root cause—inappropriate usage patterns—will resolve both the performance problems and improve your security posture.
Sources
Using AWS CloudShell Over Bastion Hosts for Seamless Access to Private Resources | AWS re:Post
Access a bastion host by using Session Manager and Amazon EC2 Instance Connect - AWS Prescriptive Guidance

answered 2 months ago
EXPERT
reviewed 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content