I recently setup a Bastion host to secure a development environment on AWS. The Bastion only exposes port 22 for SSH and I wanted to restrict access to a whitelist of authorized IP addresses rather than leave port 22 open to the internet. Further - I wanted to restrict 443 and 80 inbound to the development environment so that only authorized users/developers could access the pre-release builds deployed there.
But I and others on my team switch IP addresses often and don’t want to hassle with manual manipulation of AWS Security Groups each time I move networks in meatspace. So I threw together a “knock for access” firewall using API Gateway & lambda to conveniently add and expire authorized IP addresses on the applicable Security Groups. Enjoy!