diff --git a/clouds/aws/modules/aws-bastion/README.md b/clouds/aws/modules/aws-bastion/README.md
new file mode 100644
index 0000000..be1e883
--- /dev/null
+++ b/clouds/aws/modules/aws-bastion/README.md
@@ -0,0 +1,52 @@
+# aws-bastion
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 1.0.0 |
+| [aws](#requirement\_aws) | >= 3.72 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | >= 3.72 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_instance.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource |
+| [aws_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_security_group_rule.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.source](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_ssm_parameter.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [instance\_type](#input\_instance\_type) | Instance type to use for the Bastion Host | `string` | `"t3.small"` | no |
+| [instance\_user](#input\_instance\_user) | Bastion Host user | `string` | `"ec2-user"` | no |
+| [key\_name](#input\_key\_name) | Name of the Key Pair to use for ssh into the Bastion Host instance. Assumes PEM format. | `string` | n/a | yes |
+| [resource\_prefix](#input\_resource\_prefix) | Prefix for the name of the resources created by this module | `string` | n/a | yes |
+| [source\_security\_group\_id](#input\_source\_security\_group\_id) | Security Group ID for the EKS Node groups | `string` | n/a | yes |
+| [ssh\_cidr\_blocks](#input\_ssh\_cidr\_blocks) | CIDR block for the Security Group to allow SSH inbound traffic | `set(string)` | n/a | yes |
+| [subnet\_id](#input\_subnet\_id) | Subnet ID to place the Bastion Host in | `string` | n/a | yes |
+| [tags](#input\_tags) | Tags to apply to the resources created by this module | `map(string)` | `{}` | no |
+| [vpc\_id](#input\_vpc\_id) | VPC ID to place the Bastion Host in | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [bastion\_ssh\_connection\_string](#output\_bastion\_ssh\_connection\_string) | SSH connection string for the Bastion Host. Replace to the path to the public key. |
+| [security\_group\_id](#output\_security\_group\_id) | Security Group ID for the Bastion Host |
+
diff --git a/clouds/aws/modules/aws-bastion/main.tf b/clouds/aws/modules/aws-bastion/main.tf
index 7615f6c..727b2e7 100644
--- a/clouds/aws/modules/aws-bastion/main.tf
+++ b/clouds/aws/modules/aws-bastion/main.tf
@@ -13,6 +13,11 @@ resource "aws_instance" "this" {
subnet_id = var.subnet_id
vpc_security_group_ids = [aws_security_group.this.id]
associate_public_ip_address = true
+ disable_api_termination = true
+ ebs_optimized = true
+ metadata_options {
+ http_tokens = "required"
+ }
tags = merge(var.tags, {
Name = local.bastion_host_name