CloudBastn is a credential management platform you run inside your AWS account. Store server passwords and PEM keys envelope-encrypted, open SSM terminals and RDP straight from the browser, and audit every reveal — without a vendor in the data path.
Credentials, PEM keys, live terminals, RDP, and runbooks for your whole EC2 fleet — locked behind MFA and logged on every touch.
Every password and PEM key is encrypted with its own AES-256-GCM data key, wrapped by a master key your instance loads from AWS KMS or local config. Nothing is stored in plaintext, ever.
TOTP enrolment with single-use backup codes is part of first-boot setup. Revealing a credential or downloading a PEM requires a fresh password re-entry inside a sliding five-minute window.
Open bash or PowerShell on any SSM-managed instance straight from the server page — no inbound ports, no client install, no PEM on a laptop. Direct-SSH fallback exists for legacy boxes, off by default.
Full Windows desktops rendered in the browser via Guacamole, tunnelled over SSM port-forwarding. Port 3389 stays closed to the internet; stored credentials are injected without being shown.
Invite the team, assign roles, and scope who can view, reveal, or administer. Sessions are revocable server-side — sign someone out everywhere the moment they leave the on-call rotation.
Reveals, rotations, logins, sessions, and admin changes are logged with actor, IP, severity, and metadata. Filter, export, and set retention floors per data type — the log is yours, on your disk.
No SaaS onboarding, no sales call. Launch the AMI, run the setup wizard, connect an account.
Subscribe on AWS Marketplace and launch CloudBastn in your VPC — amd64 or arm64, a t3.small-class instance is plenty. A one-time token from the EC2 console unlocks the 4-step setup wizard: admin account, mandatory MFA, TLS.
Create an IAM role in each account you manage using the trust policy CloudBastn generates — your principal plus a per-account external ID. Paste the role ARN and your EC2 fleet syncs in, tagged and grouped.
Attach passwords, PEM keys, and runbooks to each server. Open SSM terminals and RDP sessions in a tab. Invite the team with scoped roles and watch the audit trail record every sensitive touch.
CloudBastn is software you run, not a service we host. There is no vendor account in your deployment, no phone-home in the data path, and no recovery backdoor. The boundary of trust is your AWS account — exactly where it already was.
Read the security modelSubscribe on AWS Marketplace, launch in your VPC, and hand your team safer access by the end of the day.
