Privileged Access Workstations: PAW Architecture, Bastion Hosts, and Jump Server Security

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
The attack path from phishing email to domain admin is well documented and exploited daily. A user receives a credential-harvesting phishing email, opens it on their daily-use laptop where domain admin credentials are cached, malware captures the credentials, and the attacker uses them to access domain controllers or cloud infrastructure directly. The privileged access workstation model exists specifically to break this chain by ensuring administrative credentials never touch the same device that receives email.
Implementing a PAW program does not require purchasing dedicated hardware for every administrator, though that is the ideal architecture. Hardened VMs, cloud-based virtual desktops, and modern tools like AWS Systems Manager Session Manager each provide layers of the PAW model at different cost and complexity points.
PAW architecture: isolation is the core property
The defining security property of a PAW is complete isolation from the networks, applications, and user behaviors that create credential theft opportunities on daily-use endpoints. This means separate network segments with egress restrictions to only administrative destinations, no email clients or general-purpose browsers, application allowlisting that prevents unapproved software from executing, and EDR configured at maximum sensitivity. AWS Systems Manager Session Manager provides a modern implementation of the network isolation principle for cloud infrastructure by routing all EC2 shell access through IAM-authenticated HTTPS rather than inbound SSH ports, eliminating both the attack surface of open ports and the operational overhead of SSH key management and bastion host maintenance.
Network egress restriction is as important as device hardening
A PAW that can browse the general internet is not a PAW — it is a hardened workstation, which provides less isolation than intended. The administrative network segment from which PAW devices reach production systems should restrict outbound connections to specific destinations on specific ports: HTTPS to cloud console domains, RDP or SSH to specific administrative host IP ranges, and DNS to a controlled resolver. No other outbound traffic should be permitted. This restriction means that even if malware executes on the PAW (which the application allowlisting and EDR should prevent), it cannot reach external command-and-control infrastructure through the administrative network.
Replace SSH key management with Session Manager for AWS EC2 access
AWS Systems Manager Session Manager eliminates three PAW-related operational problems simultaneously: it removes the need for inbound SSH ports on EC2 instances (reducing attack surface), eliminates SSH key management (a common source of unauthorized access via leaked or unrevoked keys), and provides built-in session logging to CloudWatch Logs and S3. Configure IAM policies to allow only administrators to start sessions, require MFA as a condition for ssm:StartSession, and restrict sessions to specific instance resource ARNs so each administrator can only reach the instances relevant to their role. The SSM agent is available for Windows and Linux EC2 instances and is preinstalled on Amazon Linux 2.
Authentication: hardware keys and just-in-time access
Phishing-resistant MFA and just-in-time role activation are the authentication controls that close the gaps that network isolation and device hardening leave open. Hardware security keys implementing FIDO2 perform origin-bound authentication that prevents real-time phishing proxy attacks from succeeding even when a user completes an MFA challenge on a spoofed login page, which is the attack vector that defeats authenticator app TOTP codes and SMS OTP. Just-in-time access via Azure PIM or AWS IAM Identity Center eliminates standing privileged role membership so that compromised credentials outside an activation window cannot be used for administrative tasks, limiting the blast radius of any credential theft incident to the duration of the activation window rather than indefinitely.
Require hardware security keys for all privileged account authentication
Enforce FIDO2 hardware security key enrollment as a condition of privileged account provisioning. In Azure AD, configure a conditional access policy requiring hardware security key authentication for any sign-in to privileged roles (Global Administrator, Security Administrator, Privileged Role Administrator, and the cloud workload equivalents). In AWS, configure IAM policies with a Condition key requiring MFA for all sensitive API calls and configure the MFA device to require a hardware TOTP device rather than virtual authenticator. Distribute hardware keys (YubiKey 5 series or equivalent) to each administrator before provisioning the privileged account, and document the key serial number in the identity management system for audit purposes.
Implement just-in-time access for privileged roles rather than standing access
Standing privileged role membership means administrators carry high-privilege credentials at all times, increasing the window of exposure if credentials are compromised. Just-in-time (JIT) access requires administrators to request and receive approval for time-bounded role assignment before performing administrative tasks. In Azure AD, use Privileged Identity Management (PIM) to require MFA-authenticated activation for Global Admin and other privileged roles with a maximum 8-hour activation window. In AWS, use IAM Identity Center permission sets with time-bounded role assumption and require additional MFA verification for production account access. JIT access limits the exposure window for compromised credentials to the maximum activation duration.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
The bottom line
Privileged access workstations address the most common enterprise compromise pattern: credential theft from a general-purpose user endpoint that cached administrative access. The full PAW architecture uses dedicated hardware, a separate administrative network segment, application allowlisting, hardware security keys for MFA, and session recording for audit. For organizations without dedicated hardware budget, hardened VMs and cloud-based virtual desktops in isolated network segments provide the core isolation property at lower cost. AWS Systems Manager Session Manager eliminates the bastion host and SSH key management overhead for cloud infrastructure access. The priority order is: hardware MFA first, network isolation second, device hardening third, session recording fourth.
Frequently asked questions
What is a privileged access workstation and why is it required?
A privileged access workstation (PAW) is a dedicated device or hardened virtual environment used exclusively for administrative tasks such as managing Active Directory, accessing cloud consoles, connecting to production servers, and performing security operations. It is required because administrative credentials used on a daily-use endpoint are at risk from every phishing email, malicious download, and browser exploit that the user encounters. If malware runs on the same machine that caches domain admin credentials, those credentials are stolen. A PAW eliminates this risk by creating a device with no email client, no general web browsing, no user applications, and no connection to the general internet, used only for the specific administrative sessions that require privileged credentials.
What should I harden on a privileged access workstation?
PAW hardening covers these controls: application allowlisting using Windows Defender Application Control or AppLocker so only approved administrative tools can execute, firewall rules restricting outbound connections to only the specific IPs and ports used for administrative tasks, no email client or browser (or a locked-down browser with no extensions that can only reach cloud consoles), EDR with the highest detection sensitivity profile, full disk encryption with pre-boot authentication, CIS Level 2 benchmark applied to the OS, USB port restrictions to block unauthorized device attachment, and no local administrator accounts beyond the required administrative account. The device should have no connection to the general user network segment.
How should I set up a bastion host for secure server access?
A bastion host (jump server) for SSH access to Linux servers should be deployed in a dedicated administrative subnet with no inbound internet access except from approved IP ranges (such as VPN exit nodes or PAW network ranges). Harden the bastion host with CIS Level 2 benchmark, disable password authentication in sshd_config (AllowPasswordAuthentication no), use SSH key authentication only, configure sshd to log all sessions (LogLevel VERBOSE), restrict which users can SSH to the bastion using AllowUsers or AllowGroups, enable fail2ban or equivalent for repeated authentication failures, and disable SSH agent forwarding to prevent credential forwarding attacks. Forward bastion SSH logs to your SIEM for session auditing.
How does AWS Systems Manager Session Manager replace a bastion host?
AWS Systems Manager Session Manager provides shell access to EC2 instances via the AWS console or CLI using IAM-authenticated HTTPS sessions without requiring inbound SSH or RDP ports on the instance or a bastion host. The SSM agent installed on the instance establishes an outbound HTTPS connection to the SSM service. To start a session, a user runs aws ssm start-session with their IAM credentials. IAM policies control which users can start sessions to which instances using resource-level conditions on the ssm:StartSession permission. Session input and output is logged to CloudWatch Logs and S3 for audit. This eliminates SSH key management, bastion maintenance, inbound firewall rules, and bastion host patching overhead.
What MFA method should I require for privileged accounts?
Phishing-resistant MFA using FIDO2 hardware security keys (such as YubiKey or Google Titan) is the required standard for privileged accounts. FIDO2 keys perform origin-bound authentication where the key only signs the challenge if the browser's current URL domain matches the domain registered during enrollment. This prevents real-time phishing attacks where an attacker proxies the authentication flow and captures the OTP in transit: even if the user completes the MFA challenge on a phishing page, the key signature includes the phishing domain and fails verification at the legitimate service. Authenticator app TOTP and SMS OTP are both susceptible to real-time phishing proxy attacks and should not be used for privileged accounts.
How do I implement the PAW model for a small team without dedicated hardware?
For small teams without budget for dedicated PAW hardware, a hardened virtual machine approach provides most of the security benefit: create a separate VM on each administrator's workstation using Hyper-V or VMware, install a minimal OS, apply CIS hardening, restrict network access to only administrative destinations using VM network rules, and use that VM exclusively for administrative sessions. Do not share clipboard or file system between the VM and the host to prevent credential leakage. Alternatively, a cloud-based PAW using a hardened Azure Virtual Desktop or AWS WorkSpaces instance in an isolated network segment provides the administrative isolation without physical hardware requirements. Require VPN connection to an administrative network before connecting to the cloud-based PAW.
How do I record and audit privileged administrative sessions?
Session recording for privileged access can be implemented at several layers. For AWS EC2 access via Session Manager, enable session logging in SSM preferences to write all terminal input and output to CloudWatch Logs and S3 with a KMS-encrypted S3 bucket. For SSH bastion access, deploy a privileged access management (PAM) tool like HashiCorp Boundary or CyberArk that proxies SSH connections and records session video. For Windows RDP access, use Azure Bastion or a PAM tool that records RDP sessions. At minimum, ensure that all privileged authentication events are logged to a SIEM with alerts for failed authentication attempts and sessions outside business hours from unexpected source IPs.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
