Bastionhost lets you periodically rotate the passwords and SSH keys used to log in to your assets. Rotating credentials reduces secret disclosure risk, limits exposure from idle accounts, and simplifies batch credential management across large asset inventories.
Choose a rotation approach
Bastionhost supports two rotation approaches. Choose based on your operating system and whether you use Key Management Service (KMS).
| Approach | Supported OS | Rotation types | Requires KMS |
|---|---|---|---|
| Solution 1: Create a password change task in Bastionhost | Linux ECS only | Password | No |
| Solution 2: Use Bastionhost with KMS | Linux ECS, Windows ECS | Password, SSH key (Linux only) | Yes |
Use Solution 1 for Linux-only environments where you want a self-contained rotation workflow inside Bastionhost. Use Solution 2 when you need to rotate SSH keys, manage Windows ECS instances, or centralize secret storage in KMS so that multiple systems can consume rotated secrets.
Solution 1: Create a password change task in Bastionhost
Create a password change task to periodically rotate the passwords of Linux Elastic Compute Service (ECS) instances hosted in Bastionhost. Password change tasks let you control the rotation schedule and enforce password complexity rules.
This solution applies to Linux ECS instances only. Host accounts must use SSH protocol with password authentication. Accounts using an SSH key or a shared key cannot be added to a password change task.
Prerequisites
Before you begin, ensure that you have:
A bastion host with Linux ECS instances already added as hosts
Host accounts configured with SSH protocol and password authentication
Create a password change task
Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.
In the bastion host list, find the bastion host that you want to manage and click Manage.
On the Password Change page, click Create Password Change Task.
In the Create Password Change Task panel, configure the following parameters and click Create.
Parameter Description Task name A name for the password change task. Execution method How the task runs. Select Periodic to run the task repeatedly on a defined schedule, or Scheduled to run it once at a specific time. See the details below. Password rules The complexity and length requirements for generated passwords. See the details below. Remarks An optional description for the task. Execution method details
Periodic: Set Executed at to a time at least 5 minutes from now, then set Period (maximum: 365 days). Bastionhost runs the task repeatedly based on this cycle.
Scheduled: Set Executed at to a time at least 5 minutes from now. Bastionhost runs the task once at that time.
Password rules details
Setting Description Valid values Password strength Character types to include in generated passwords. Select at least two types for stronger passwords. Digits, Lowercase letters, Uppercase letters, Other characters Password length The minimum and maximum length of generated passwords. 8–32 characters Password policies Fine-grained constraints: the minimum count of each character type, the maximum number of times any single character may appear, and any characters to exclude. The sum of minimum character counts cannot exceed the password length. Min per type: 0–32; Max character repetition: 1–32 Click Associate account. On the Managed accounts tab, click Add host account.
In the Add host account dialog box, select the host accounts to add and click Add. Keep in mind the following limits when adding host accounts:
A host account can belong to only one password change task at a time.
The host account must use SSH protocol with password authentication. Accounts using an SSH key or a shared key are not eligible.
After the task is created and associated, a confirmation message appears and the task is listed on the Password Change page.
Solution 2: Use Bastionhost with KMS
Bastionhost integrates with Key Management Service (KMS) to let you import ECS secrets from KMS and use KMS's native rotation capability to rotate passwords or SSH keys. After rotation, operations and maintenance (O&M) engineers continue accessing ECS instances through Bastionhost — no credential redistribution needed, because Bastionhost retrieves the current secret version from KMS in real time.
For Linux ECS instances, both password rotation and SSH key rotation are supported. For Windows ECS instances, only password rotation is supported.
Prerequisites
Before you begin, ensure that you have:
ECS secrets already created and managed in KMS
Bastionhost authorized to access KMS (complete the authorization in Bastionhost before importing secrets)
A bastion host with the target ECS instances already added as hosts
Import KMS secrets into Bastionhost
Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.
In the bastion host list, find the bastion host that you want to manage and click Manage.
In the left-side navigation pane, choose Assets > Hosts.
In the host list, find the target host and click Import KMS Secret in the Actions column.
In the Import KMS Secret dialog box, select the ECS secrets to import and click Import.
After the import completes, click the host name to open the host detail page. On the Host Account tab, the imported secrets are listed and ready for use.
KMS handles the rotation schedule. Once you configure rotation in KMS, Bastionhost automatically picks up each new secret version — no further action is needed in Bastionhost.
What's next
To configure secret rotation schedules in KMS, see the KMS documentation on secret rotation.
To review or update password change task settings, go to the Password Change page in the Bastionhost console.
To verify that a password change task ran successfully, check the task status on the Password Change page after the scheduled execution time.